A Kubernetes operator that integrates Bitwarden/Vaultwarden with the External Secrets Operator to securely manage your Kubernetes secrets.
# Step 1: Install External Secrets Operator
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
-n external-secrets --create-namespace
# Step 2: Install Bitwarden External Secrets
helm repo add eznix86 https://eznix86.github.io/bitwarden-external-secrets
helm install bitwarden-external-secrets eznix86/bitwarden-external-secrets \
-n bitwarden-external-secrets --create-namespace \
--set secrets.bw_clientid="YOUR_CLIENT_ID" \
--set secrets.bw_clientsecret="YOUR_CLIENT_SECRET" \
--set secrets.bw_password="YOUR_MASTER_PASSWORD"
# Step 3: Verify installation
kubectl get pods -n external-secrets
kubectl get pods -n bitwarden-external-secretsThis operator allows you to:
- Use your Bitwarden vault as a secure backend for Kubernetes secrets
- Automatically sync secrets from Bitwarden to Kubernetes
- Bitwarden Operator will handle secret rotation and management on demand
Note
This operator is different from the Bitwarden Kubernetes Operator. It uses Bitwarden as a source for secrets rather than managing Bitwarden itself.
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm install external-secrets external-secrets/external-secrets \
-n external-secrets \
--create-namespace
# Verify External Secrets installation
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=external-secrets \
-n external-secrets --timeout=60shelm repo add eznix86 https://eznix86.github.io/bitwarden-external-secrets
helm repo update
helm install bitwarden-external-secrets eznix86/bitwarden-external-secrets \
-n bitwarden-external-secrets \
--create-namespace \
--set secrets.bw_clientid="YOUR_CLIENT_ID" \
--set secrets.bw_clientsecret="YOUR_CLIENT_SECRET" \
--set secrets.bw_password="YOUR_MASTER_PASSWORD" \
--set secrets.bw_host="https://bitwarden.com" # or your Vaultwarden instance URL
# Verify Bitwarden External Secrets installation
kubectl wait --for=condition=ready pod -l app.kubernetes.io/instance=bitwarden-external-secrets \
-n bitwarden-external-secrets --timeout=60s
kubectl wait --for=condition=ready pod -l app=bitwarden-operator \
-n bitwarden-external-secrets --timeout=60sNote: You can find
bw_clientidandbw_clientsecretin your Bitwarden/Vaultwarden account settings under API Key.
Create a YAML file with your BitwardenSecret definition:
apiVersion: bitwarden.external-secrets.io/v1alpha1
kind: BitwardenSecret
metadata:
name: my-application-secrets # Name of the BitwardenSecret resource
spec:
namespace: my-application # Target namespace for the generated K8s Secret
secrets:
# Each key will be created in the resulting Secret
db-username:
itemRef:
id: "your-bitwarden-item-id" # On Bitwarden Web UI, Grab the itemId from the URL
type: login # Type of Bitwarden item
property: username # Property to extract from the item
db-password:
itemRef:
id: "your-bitwarden-item-id"
type: login
property: password
ssh-key:
itemRef:
id: "your-ssh-key-item-id"
type: sshKey
property: privateKey # Can be privateKey, publicKey, or keyFingerprintApply the configuration:
kubectl apply -f my-bitwarden-secret.yamlThe operator will automatically create a Kubernetes Secret with the specified values from your Bitwarden vault.
| Bitwarden Item Type | Supported Properties | Description |
|---|---|---|
login |
username, password |
Login credentials |
note |
(entire note content) | Secure notes |
field |
(custom field names) | Custom fields from any item |
sshKey |
privateKey, publicKey, keyFingerprint |
SSH keys |
kubectl get bitwardensecrets
# or
kubectl get bwskubectl logs -l app=bitwarden-operator -n bitwarden-external-secretsTo cleanly uninstall the charts:
helm uninstall bitwarden-external-secrets -n bitwarden-external-secrets
helm uninstall external-secrets -n external-secretsContributions are welcome! Feel free to submit issues or pull requests.