Code optimizations & CiliumNetworkPolicy Support

.github/workflows/docker-builds.yaml

@@ -75,21 +75,6 @@ jobs:
           images: ${{ env.DOCKER_IMAGE_NAME }}:${{ inputs.image_tag }}-amd64,  ${{ env.DOCKER_IMAGE_NAME }}:${{ inputs.image_tag }}-arm64
           push: true
 
-      - name: Cleanup Internediate Manual Platform-Specific Images
-        if: ${{ github.event_name == 'workflow_dispatch' }}
-        run: | 
-          REPO=${{ env.DOCKER_IMAGE_NAME }}
-          DH_USER=${{ env.DOCKERHUB_USERNAME }}
-          DH_PASS=${{ env.DOCKERHUB_PAT }}
-          JWT=$(curl -s -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' -d "{\"username\":\"${DH_USER}\",\"password\":\"${DH_PASS}\"}" -L 'https://hub.docker.com/v2/users/login' | jq -r '.token')
-
-          TAG=${{ inputs.image_tag }}-arm64
-          curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${TAG}/" -X DELETE -H "Authorization: JWT ${JWT}"
-          
-          TAG=${{ inputs.image_tag }}-amd64
-          curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${TAG}/" -X DELETE -H "Authorization: JWT ${JWT}"
-
-
       - name: Tagged Build/Push - amd64
         if: ${{ github.event_name != 'workflow_dispatch' }}
         uses: docker/build-push-action@v5
@@ -131,16 +116,16 @@ jobs:
           images: ${{ env.DOCKER_IMAGE_NAME }}:${{ github.ref_name }}-amd64,  ${{ env.DOCKER_IMAGE_NAME }}:${{ github.ref_name }}-arm64
           push: true
 
-      - name: Cleanup Internediate Tagged Platform-Specific Images
-        if: ${{ github.event_name != 'workflow_dispatch' }}
+      - name: Cleanup Internediate Images
         run: | 
           REPO=${{ env.DOCKER_IMAGE_NAME }}
           DH_USER=${{ env.DOCKERHUB_USERNAME }}
           DH_PASS=${{ env.DOCKERHUB_PAT }}
           JWT=$(curl -s -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' -d "{\"username\":\"${DH_USER}\",\"password\":\"${DH_PASS}\"}" -L 'https://hub.docker.com/v2/users/login' | jq -r '.token')
+          tags=$(curl -L -s 'https://hub.docker.com/v2/repositories/${REPO}/tags?page_size=1024' | jq -r '.results[].name' | grep -E '\-arm64|\-amd64')
 
-          TAG=${{ github.ref_name }}-amd64
-          curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${TAG}/" -X DELETE -H "Authorization: JWT ${JWT}"
-          
-          TAG=${{ github.ref_name }}-arm64
-          curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${TAG}/" -X DELETE -H "Authorization: JWT ${JWT}"
+          # Iterate over tags
+          for tag in $tags; do
+              echo "Deleting intermediate tag: $tag"
+              curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${tag}/" -X DELETE -H "Authorization: JWT ${JWT}"
+          done

.github/workflows/docker-nightly.yaml

@@ -59,19 +59,6 @@ jobs:
           images: ${{ env.DOCKER_IMAGE_NAME }}:nightly-amd64,${{ env.DOCKER_IMAGE_NAME }}:nightly-arm64
           push: true
 
-      - name: Cleanup Internediate Nightly Platform-Specific Images
-        run: | 
-          REPO=${{ env.DOCKER_IMAGE_NAME }}
-          DH_USER=${{ env.DOCKERHUB_USERNAME }}
-          DH_PASS=${{ env.DOCKERHUB_PAT }}
-          JWT=$(curl -s -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' -d "{\"username\":\"${DH_USER}\",\"password\":\"${DH_PASS}\"}" -L 'https://hub.docker.com/v2/users/login' | jq -r '.token')
-
-          TAG=nightly-arm64
-          curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${TAG}/" -X DELETE -H "Authorization: JWT ${JWT}"
-          
-          TAG=nightly-amd64
-          curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${TAG}/" -X DELETE -H "Authorization: JWT ${JWT}"
-
       - name: Most Recent Semver Tag
         uses: actions-ecosystem/action-get-latest-tag@v1
         with:
@@ -111,15 +98,16 @@ jobs:
           images: ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.most-recent-tag.outputs.tag }}-amd64,  ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.most-recent-tag.outputs.tag }}-arm64
           push: true
 
-      - name: Cleanup Internediate Tagged Platform-Specific Images
+      - name: Cleanup Internediate Images
         run: | 
           REPO=${{ env.DOCKER_IMAGE_NAME }}
           DH_USER=${{ env.DOCKERHUB_USERNAME }}
           DH_PASS=${{ env.DOCKERHUB_PAT }}
           JWT=$(curl -s -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' -d "{\"username\":\"${DH_USER}\",\"password\":\"${DH_PASS}\"}" -L 'https://hub.docker.com/v2/users/login' | jq -r '.token')
+          tags=$(curl -L -s 'https://hub.docker.com/v2/repositories/${REPO}/tags?page_size=`1024`' | jq -r '.results[].name' | grep -E '\-arm64|\-amd64')
 
-          TAG=${{ steps.most-recent-tag.outputs.tag }}-amd64
-          curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${TAG}/" -X DELETE -H "Authorization: JWT ${JWT}"
-          
-          TAG=${{ steps.most-recent-tag.outputs.tag }}-amd64
-          curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${TAG}/" -X DELETE -H "Authorization: JWT ${JWT}"
+          # Iterate over tags
+          for tag in $tags; do
+              echo "Deleting intermediate tag: $tag"
+              curl -s "https://hub.docker.com/v2/repositories/${REPO}/tags/${tag}/" -X DELETE -H "Authorization: JWT ${JWT}"
+          done

.github/workflows/gh-pages.yaml

@@ -1,10 +1,9 @@
 name: Deploy GH Pages
 
 on:
-  release:
-    types: 
-      - published
-      - created
+  push:
+    tags: 
+      - 'bwsm-eso-provider-*'
     paths:
       - README.md
       - charts/**/README.md

artifacthub-repo.yml

@@ -7,4 +7,4 @@ owners:
 
 ignore:
   - name: bwsm-eso-provider
-    version: beta*
+    version: *-beta

charts/bwsm-eso-provider/Chart.yaml

@@ -2,9 +2,9 @@ apiVersion: v2
 name: bwsm-eso-provider
 description: Helm chart to use Bitwarden Secrets Manaager (BWSM) as a Provider for External Secrets Operator (ESO)
 type: application
-version: 0.0.9
+version: 0.1.0-beta
 # renovate: image=bojanraic/bwsm-eso
-appVersion: "0.0.9"
+appVersion: "0.1.0-beta"
 icon: https://bojanraic.github.io/bitwarden-secrets-manager-eso/chart-icon.png
 maintainers:
   - name: "Bojan Raic"

charts/bwsm-eso-provider/README.md

@@ -1,6 +1,6 @@
 # bwsm-eso-provider
 
-![Version: 0.0.9](https://img.shields.io/badge/Version-0.0.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.9](https://img.shields.io/badge/AppVersion-0.0.9-informational?style=flat-square)
+![Version: 0.1.0-beta](https://img.shields.io/badge/Version-0.1.0--beta-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0-beta](https://img.shields.io/badge/AppVersion-0.1.0--beta-informational?style=flat-square)
 
 Helm chart to use Bitwarden Secrets Manaager (BWSM) as a Provider for External Secrets Operator (ESO)
 
@@ -23,6 +23,8 @@ Helm chart to use Bitwarden Secrets Manaager (BWSM) as a Provider for External S
 | bwsm_eso_provider.auth.existingSecret | string | `""` | use an existing secret for bitwarden secrets manager credentials; ignores above credentials if this is set |
 | bwsm_eso_provider.auth.secretKeys.accessToken | string | `"BWS_ACCESS_TOKEN"` | secret key for bitwarden secrets manager access token to use to authenticate BWS CLI and fetch secrets in the pod; do not change unless customizing the Express.JS wrapper code |
 | bwsm_eso_provider.create_cluster_secret_store | bool | `true` | if set to True, we'll create a cluster-wide Cluster Secret Store see: https://external-secrets.io/latest/introduction/overview/#clustersecretstore |
+| bwsm_eso_provider.eso_namespace | string | `"external-secrets"` | specify namespace where ESO is installed |
+| bwsm_eso_provider.network_policy.cilium | bool | `false` | if Cilium is used (for creating a CiliumNetworkPolicy) |
 | bwsm_eso_provider.network_policy.enabled | bool | `true` | enable a network policy between BWSM pod(s) and ESO namespace; highly recommended as the Express.js App provides no authentication |
 | bwsm_eso_provider.network_policy.labels | object | `{"app.kubernetes.io/name":"external-secrets"}` | specify the labels to match against for the network policy |
 | bwsm_eso_provider.sample_secret.create | bool | `false` | create a sample external secret for quick verification; works only when create_cluster_secret_store is True |

charts/bwsm-eso-provider/templates/cluster-secret-store.yaml

@@ -3,7 +3,7 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
-  name: bwsm-cluster-store
+  name: {{ .Release.Name }}-cluster-store
 spec:
   provider:
     webhook:

charts/bwsm-eso-provider/templates/network-policy.yaml

@@ -1,18 +1,50 @@
-{{- if .Values.bwsm_eso_provider.network_policy.enabled }}
+{{- if and .Values.bwsm_eso_provider.network_policy.enabled (not .Values.bwsm_eso_provider.network_policy.cilium) }}
 ---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: external-secrets-operator-ns-to-{{ .Release.Name }}-policy
+  name: eso-ns-to-{{ .Release.Name }}-policy
   namespace: {{ .Release.Namespace }}
 spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/instance: {{ .Release.Name }}
-      app.kubernetes.io/name: {{ .Release.Name }}
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
   ingress:
     - from:
-      - namespaceSelector:
-          matchLabels:
+        - namespaceSelector:
+            matchExpressions:
+              - key: namespace
+                operator: In
+                values:
+                  - {{ .Values.bwsm_eso_provider.eso_namespace }}
+      ports:
+        - port: 8080
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+            {{ toYaml .Values.bwsm_eso_provider.network_policy.labels | indent 2 }}
+{{- end }}
+{{- if and .Values.bwsm_eso_provider.network_policy.enabled .Values.bwsm_eso_provider.network_policy.cilium }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: eso-ns-to-{{ .Release.Name }}-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector: {}
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: {{ .Values.bwsm_eso_provider.eso_namespace }}
+      toPorts:
+        - ports:
+            - port: "8080"
+  egress:
+    - toEndpoints:
+        - matchLabels:
           {{ toYaml .Values.bwsm_eso_provider.network_policy.labels | indent 2 }}
+
 {{- end }}

charts/bwsm-eso-provider/values.yaml

@@ -6,6 +6,8 @@ bwsm_eso_provider:
   # -- if set to True, we'll create a cluster-wide Cluster Secret Store
   # see: https://external-secrets.io/latest/introduction/overview/#clustersecretstore
   create_cluster_secret_store: true
+  # -- specify namespace where ESO is installed
+  eso_namespace: external-secrets  
   auth:
     # -- bitwarden secrets manager access token to use to authenticate BWS CLI and fetch secrets in the pod; ignored if existingSecret is set
     accessToken: ""
@@ -32,7 +34,8 @@ bwsm_eso_provider:
     # -- specify the labels to match against for the network policy
     labels:
       app.kubernetes.io/name: external-secrets
-
+    # -- if Cilium is used (for creating a CiliumNetworkPolicy)
+    cilium: false
 # -- number of replicas to deploy
 replicaCount: 1
 

src/Dockerfile

@@ -32,7 +32,6 @@ WORKDIR $WORKDIR
 
 COPY --from=base $WORKDIR/ $WORKDIR/
 COPY --from=bws /bin/sh /bin/sh
-COPY --from=bws /bin/wget /bin/wget
 COPY --from=bws $WORKDIR/bws $WORKDIR/bws
 
 EXPOSE $PORT

src/controllers/secretidController.js

@@ -1,5 +1,5 @@
 import * as service from '../services/bwsService.js';
 
-export function getById(req, res, next) {
+export async function getById(req, res, next) {
   service.getById(req, res);
 };

src/index.js

@@ -1,27 +1,39 @@
 import server from "./server.js";
 
-const env = process.env.NODE_ENV ? process.env.NODE_ENV : "production";
+const env = process.env.NODE_ENV || "production"; // Use a default value if NODE_ENV is not set
 
-server.deploy(env).catch((err) => {
-  console.log(err);
-});
+// Start the server
+async function startServer() {
+    try {
+        await server.deploy(env);
+        console.log(`Server deployed successfully in ${env} mode.`);
+    } catch (error) {
+        console.error(`Error deploying server: ${error}`);
+        process.exit(1);
+    }
+}
+
+startServer();
 
-// quit on ctrl-c when running docker in terminal
-process.on("SIGINT", function onSigint() {
-  console.log(
-    `[${new Date().toISOString()}] Got SIGINT (aka ctrl-c in docker). Graceful shutdown`
-  );
-  shutdown();
+// Graceful shutdown on SIGINT (Ctrl+C) or SIGTERM (docker container stop)
+process.on("SIGINT", () => {
+    console.log(`[${new Date().toISOString()}] Got SIGINT (Ctrl+C). Graceful shutdown.`);
+    shutdown();
 });
 
-// quit properly on docker stop
-process.on("SIGTERM", function onSigterm() {
-  console.log(
-    `[${new Date().toISOString()}] Got SIGTERM (docker container stop). Graceful shutdown`
-  );
-  shutdown();
+process.on("SIGTERM", () => {
+    console.log(`[${new Date().toISOString()}] Got SIGTERM (docker container stop). Graceful shutdown.`);
+    shutdown();
 });
 
-const shutdown = () => {
-  server.undeploy();
-};
+// Function to gracefully shutdown the server
+async function shutdown() {
+    try {
+        server.undeploy();
+        console.log("Server shutdown completed.");
+        process.exit(0);
+    } catch (error) {
+        console.error(`Error during server shutdown: ${error}`);
+        process.exit(1);
+    }
+}

src/package.json

@@ -1,6 +1,6 @@
 {
     "name": "bwsm-eso",
-    "version": "0.0.9",
+    "version": "0.1.0-beta",
     "description": "This is a Bitwarden Secrets Manager ESO wrapper based on the OpenAPI 3.0 specification.",
     "license": "AGPL-3.0-only",
     "type": "module",
@@ -27,4 +27,4 @@
     "devDependencies": {
         "@types/express": "^4.17.21"
     }
-}
+}