Support Bitwarden Secrets Manager

[fastlorenzo]

Is your feature request related to a problem? Please describe.
Bitwarden Secrets Manager is currently not supported by external-secrets.

Describe the solution you'd like
Bitwarden recently released their Secrets Manager solution, which has better API support and is meant to be use as a secret store to be used programmatically.

https://bitwarden.com/products/secrets-manager/

Describe alternatives you've considered
N/A

Additional context
Bitwarden SDK: https://github.com/bitwarden/sdk/

The following can be used to authenticate using a service account:

curl -X POST https://vault.bitwarden.com/identity/connect/token -H "content-type: application/x-www-form-urlencoded" --data 'scope=api.secrets&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&grant_type=client_credentials'


{"access_token":"<TOKEN>","expires_in":3600,"token_type":"Bearer","scope":"api.secrets","encrypted_payload":"<PAYLOAD>"}

The resulting access token can be used to retrieve the server by ID:

curl https://vault.bitwarden.com/api/secrets/<SECRET_ID> -H 'Content-Type: application/json' -H "Authorization: Bearer <TOKEN>"


{"id":"<SECRET_ID>","organizationId":"<ORG_ID>","key":"<KEY>","value":"<VALUE>","note":"<NOTE>","creationDate":"2023-08-28T12:32:50.6798356Z","revisionDate":"2023-08-28T12:32:50.6798357Z","projects":[{"id":"<PROJECT_ID>","name":"<PROJECT_NAME>"}],"read":true,"write":false,"object":"secret"}

Please note that the returned secret looks encrypted, I still need to figure out how to decrypt it.

However, another option would be to use the bws secret get <SECRET_ID> -t <SERVICE_ACCOUNT_SECRET> command, which returns the secret in clear text.

[fastlorenzo]

api.json.txt

Attached the swagger file I've extracted from latest master of Bitwarden Server (if it can be of any use)

[larivierec]

oh nice, i didn't see there was an api attached to bitwarden, this should be possible now :)
the second option isn't really viable because that means bws would have to be packaged with external-secrets.

the first option is definitely the better way.
the other thing would be the bitwarden/sdk would ideally have to expose a golang client otherwise, it would have to re-written

[fastlorenzo]

the other thing would be the bitwarden/sdk would ideally have to expose a golang client otherwise, it would have to re-written

I think this should do it once merged 😄 bitwarden/sdk-sm#218

[logan-hcg]

Looks like the golang SDK was just merged 🤞

[fastlorenzo]

@larivierec are you taking this up with the bitwarden golang SDK?
I can help but I'm not a pro writing in golang 😄

[larivierec]

I could look, I just saw it was released
having looked at it, seems that CGO is required meaning that external-secrets will have to package a binary with the release.

if that's a viable option, then sure, it's doable but it would greatly increase the size of this project and bitwarden binary would have to be shipped with external-secrets.

unless i'm mistaken?

Ref: https://github.com/bitwarden/sdk/blob/master/languages/go/internal/cinterface/bitwarden_library.go#L8-L17

[larivierec]

So from what I see, the bws team are suggesting that we manually download the cross compiled binary from GH.

I have just generated the binaries using docker to get an idea of what is required schema.go and the main static library is 130 Mb
Considering this, we'd have to know if the external-secrets maintainers would want to do any of the following.

1. Create a custom docker image i.e. Dockerfile.bitwarden to avoid having this extra 130 Mb be added to the main image. This image would also need to be using glibc alpine would be out of the question + enable CGO.

I could try with alpine, but no guarantee it would be compatible.

2. Add this 130 Mb file to the normal Dockerfile and enable CGO.

Test:

Dockerfile to generate their library

FROM rust:1.74.0-slim-bookworm

RUN apt update && apt install npm ts-node -y

WORKDIR /app
COPY . /app

RUN cargo build --release
RUN npm ci && npm run schemas

You can see the sizes below

-rw-r--r--.   2 root root 130975454 Dec  5 14:28 libbitwarden_c.a
-rw-r--r--.   1 root root     37516 Dec  5 14:28 libbitwarden_c.d
-rw-r--r--.   2 root root   3350746 Dec  5 14:28 libbitwarden_c.rlib
-rwxr-xr-x.   2 root root  14717280 Dec  5 14:28 libbitwarden_c.so

The best approach would've been to expose an actual API, but i guess this was not the chosen path.

Note:
The reason for GLIBC (aka, debian/ubuntu)

root@6b01ea400a2d:/app/target/release# ldd libbitwarden_c.so
	linux-vdso.so.1 (0x0000ffff82ccb000)
	libgcc_s.so.1 => /lib/aarch64-linux-gnu/libgcc_s.so.1 (0x0000ffff824d0000)
	libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff82430000)
	libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff82280000)
	/lib/ld-linux-aarch64.so.1 (0x0000ffff82c8e000)

I see @gusfcarvalho has contributed to a few PRs.
What are your thoughts on this?

[jenrik]

perhaps a webhook based integration might be a better starting point for now, we can avoid bloating external-secrets by shipping bitwarden secret manager related things in a separate container

[larivierec]

Yeah, after seeing the integration I do believe this is a better avenue

I was expecting a simple REST api or something

[kevindurb]

Any movement on this? Any way that I could help? Would love to switch from the cli api to bw secrets manager if only to have the ability to not expose my entire vault to my kubernetes cluster 😬

[jenrik]

as an alternative Bitwarden have launched their own operator, https://preview.bitwarden.com/help/helm-integration/

[fastlorenzo]

as an alternative Bitwarden have launched their own operator, https://preview.bitwarden.com/help/helm-integration/

@jenrik the link you've provided seems down already

[Skarlso]

I'll take this one.

FYI:
<- Bitwarden user