Skip to content

Commit c7bc18a

Browse files
p3limp3lim
committed
Remove support for API token
It is completely pointless, as you need the master password regardless.
1 parent 27cc1a7 commit c7bc18a

File tree

2 files changed

+27
-7
lines changed

2 files changed

+27
-7
lines changed

README.md

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,30 @@
22

33
This repository contains a container image intended to be used as a [Bitwarden](https://bitwarden.com) "server" for [external-secrets](https://external-secrets.io/latest/examples/bitwarden).
44

5-
It expects two environment variables, as per [the official documentation](https://bitwarden.com/help/cli/#using-an-api-key):
5+
### Environment variables
66

7-
- `BW_CLIENTID`
8-
- `BW_CLIENTSECRET`
7+
These should be pretty much self-explanatory.
98

10-
Optionally you can also specify a different server with `BW_SERVER`.
9+
- `BW_USERNAME`
10+
- `BW_PASSWORD`
11+
- `BW_PASSWORD_FILE`
12+
- defaults to `/secrets/BW_PASSWORD`
13+
- this is recommended over `BW_PASSWORD` envvar
14+
- `BW_SERVER`
15+
- defaults to whatever the Bitwarden CLI sets as a default
16+
- `BW_PORT`
17+
- defaults to `8087`
1118

12-
It will listen on port `8087` by default, overridable with `BW_PORT`
19+
### Usage
20+
21+
Follow the guide provided in the docs for external-secrets found here:
22+
<https://external-secrets.io/latest/examples/bitwarden>
23+
24+
> It is **highly** recommended to deploy a network policy with this, otherwise the unlocked vault will be accessible by the entire cluster!
25+
26+
Substitute this image: `ghcr.io/p3lim/ghcr.io/p3lim/bitwarden-cli:VERSION`
27+
See the latest version tags here:
28+
<https://github.com/p3lim/bitwarden-cli/pkgs/container/bitwarden-cli>
1329

1430
### Vault sync
1531

entrypoint.sh

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,12 @@ if [ -n "$BW_SERVER" ]; then
66
bw config server "$BW_SERVER"
77
fi
88

9-
if [ -n "$BW_CLIENTID" ] && [ -n "$BW_CLIENTSECRET" ]; then
10-
export BW_SESSION="$(bw login --apikey --raw)"
9+
if [ -n "$BW_USERNAME" ]; then
10+
if [ -f "${BW_PASSWORD_FILE:-/secrets/BW_PASSWORD}" ]; then
11+
export BW_SESSOIN="$(bw login "$BW_USERNAME" --passwordfile "${BW_PASSWORD_FILE:-/secrets/BW_PASSWORD}" --raw)"
12+
elif [ -n "$BW_PASSWORD" ]; then
13+
export BW_SESSION="$(bw login "$BW_USERNAME" --passwordenv "$BW_PASSWORD" --raw)"
14+
fi
1115
fi
1216

1317
bw unlock --check

0 commit comments

Comments
 (0)