{"id":26477938,"url":"https://github.com/external-secrets/bitwarden-sdk-server","last_synced_at":"2026-02-02T08:29:33.474Z","repository":{"id":243851700,"uuid":"813271246","full_name":"external-secrets/bitwarden-sdk-server","owner":"external-secrets","description":"This repository contains a simple REST wrapper for the Bitwarden Rust SDK","archived":false,"fork":false,"pushed_at":"2025-03-01T12:00:32.000Z","size":21381,"stargazers_count":14,"open_issues_count":2,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-01T13:19:06.279Z","etag":null,"topics":["bitwarden","external-secrets","golang"],"latest_commit_sha":null,"homepage":"https://external-secrets.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/external-secrets.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-10T20:01:03.000Z","updated_at":"2025-03-01T12:00:29.000Z","dependencies_parsed_at":"2024-06-25T07:59:05.312Z","dependency_job_id":"32da328c-5eda-469a-bcb8-4103850763bb","html_url":"https://github.com/external-secrets/bitwarden-sdk-server","commit_stats":null,"previous_names":["external-secrets/bitwarden-sdk-server"],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fbitwarden-sdk-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fbitwarden-sdk-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fbitwarden-sdk-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/external-secrets%2Fbitwarden-sdk-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/external-secrets","download_url":"https://codeload.github.com/external-secrets/bitwarden-sdk-server/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244531013,"owners_count":20467391,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bitwarden","external-secrets","golang"],"created_at":"2025-03-20T00:58:36.926Z","updated_at":"2026-02-02T08:29:33.419Z","avatar_url":"https://github.com/external-secrets.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# bitwarden-sdk-server\n\nThis repository contains a simple REST wrapper for the Bitwarden Rust SDK.\n\n## Purpose\n\nThe main purpose of this API is to accommodate the needs for [External Secrets Operator](https://external-secrets.io) to\ntalk to Bitwarden Secrets Manager.\n\nThe API is slim and follows basic REST principles. The following endpoints are supported with sample requests:\n\n\n### GetSecret\n\n`/rest/api/1/secret`\n\nMethod `GET`.\n\n```json\n{\n  \"id\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\"\n}\n```\n\nResponse:\n```json\n{\n  \"creationDate\": \"2024-04-04\",\n  \"id\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n  \"key\": \"test\",\n  \"note\": \"note\",\n  \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n  \"revisionDate\": \"2024-04-04\",\n  \"value\": \"value\"\n}\n```\n\n### GetSecretsByIds\n\n`/rest/api/1/secrets-by-ids`\n\nMethod `GET`.\n\n```json\n{\n  \"ids\": [\n    \"f5847eef-2f89-43bc-885a-b18a01178e3e\", \"0cab75c4-ba26-4996-a8bf-517095857ce3\"\n  ]\n}\n```\n\nResponse:\n```json\n{\n  \"data\": [\n    {\n      \"creationDate\": \"2024-04-04\",\n      \"id\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n      \"key\": \"test\",\n      \"note\": \"note\",\n      \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n      \"revisionDate\": \"2024-04-04\",\n      \"value\": \"value\"\n    },\n    {\n      \"creationDate\": \"2024-04-05\",\n      \"id\": \"0cab75c4-ba26-4996-a8bf-517095857ce3\",\n      \"key\": \"test2\",\n      \"note\": \"note2\",\n      \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n      \"revisionDate\": \"2024-04-05\",\n      \"value\": \"value2\"\n    }\n  ]\n}\n```\n\n### ListSecrets\n\n`/rest/api/1/secrets`\n\nMethod `GET`.\n\n```json\n{\n  \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\"\n}\n```\n\nResponse:\n```json\n{\n  \"data\":[\n    {\n      \"id\": \"1ba2f0c9-d73d-48bf-84a5-290ce5012258\",\n      \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n      \"key\": \"this-is-the-name\"\n    }\n  ]\n}\n```\n\n### UpdateSecret\n\n`rest/api/1/secret`\n\nMethod `PUT`.\n\n```json\n{\n  \"id\": \"1ba2f0c9-d73d-48bf-84a5-290ce5012258\",\n  \"key\": \"name\",\n  \"note\": \"new-note\",\n  \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n  \"value\": \"new-value\"\n}\n```\n\nResponse:\n\n```json\n{\n  \"creationDate\": \"2024-04-04\",\n  \"id\": \"1ba2f0c9-d73d-48bf-84a5-290ce5012258\",\n  \"key\": \"test\",\n  \"note\": \"note\",\n  \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n  \"revisionDate\": \"2024-04-04\",\n  \"value\": \"value\"\n}\n```\n\n### CreateSecret\n\n`rest/api/1/secret`\n\nMethod `POST`.\n\n```json\n{\n  \"key\": \"name\",\n  \"note\": \"note\",\n  \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n  \"value\": \"value\"\n}\n```\n\nResponse:\n\n```json\n{\n  \"creationDate\": \"2024-04-04\",\n  \"id\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n  \"key\": \"name\",\n  \"note\": \"note\",\n  \"organizationId\": \"f5847eef-2f89-43bc-885a-b18a01178e3e\",\n  \"revisionDate\": \"2024-04-04\",\n  \"value\": \"value\"\n}\n```\n\n## Authentication\n\nThe router is using a middleware called `Warden` that will create an authenticated client for all the requests.\nThis client is created through the use of Headers. The following headers can be provided for each call:\n\n```\nWarden-Access-Token: \u003ctoken\u003e // mandatory\nWarden-State-Path: \u003cstate-path\u003e\nWarden-Api-Url: \u003curl\u003e\nWarden-Identity-Url: \u003curl\u003e\n```\n\nA sample call could look something like this:\n\n```\ncurl --insecure -d '{\"key\": \"test2\", \"value\": \"secret\",\"note\": \"shit\", \"organizationId\": \"ac2b00ac-2ef7-4d86-8cbd-b18a011760cb\", \"projectIds\":[\n\"f5847eef-2f89-43bc-885a-b18a01178e3e\"]}' https://chart-bitwarden-sdk-server.default.svc.cluster.local:9998/rest/api/1/secret --header 'Warden-Acce\nss-Token:\u003ctoken\u003e' -X POST\n```\n\n## Install\n\nThe server is a dependency to external-secrets' helm chart, therefor it can be installed together with ESO like this:\n\n```\nhelm install external-secrets \\\n   external-secrets/external-secrets \\\n    -n external-secrets \\\n    --create-namespace \\\n    --set bitwarden-sdk-server.enabled=true\n```\n\nOr, it can also be installed in a standalone way using helm from this repository.\n\nThe server **MUST** run using HTTPS. A recommended way to generate a certificate is to use cert-manager.\nThe certificate can be defined in a Kubernetes secret called `bitwarden-tls-certs`. This can be overwritten in the helm\nchart values file.\n\nThe certificate will then be required when using external-secrets' Bitwarden provider.\n\n## Certificates\n\nThere are many ways to generate secrets for an HTTP server. One of which could be through cert-manager.\n\nThat process can be found under the `hack` folder. But using an existing certificate is also possible through helm\nvalues. These are mounted inside the container and used further by the client with keys defined by the following\ncommand line arguments:\n\n```go\n\tflag.StringVar(\u0026rootArgs.server.KeyFile, \"key-file\", \"/certs/key.pem\", \"--key-file /certs/key.pem\")\n\tflag.StringVar(\u0026rootArgs.server.CertFile, \"cert-file\", \"/certs/cert.pem\", \"--cert-file /certs/cert.pem\")\n```\n\nThe certificate mount target and values are defined under `image` section in the values file as such:\n\n```yaml\nimage:\n  repository: ghcr.io/external-secrets/bitwarden-sdk-server\n  pullPolicy: IfNotPresent\n  # Overrides the image tag whose default is the chart appVersion.\n  tag: \"\"\n  tls:\n    enabled: true\n    volumeMounts:\n      - mountPath: \"/certs\"\n        name: \"bitwarden-tls-certs\"\n    volumes:\n      - name: \"bitwarden-tls-certs\"\n        secret:\n          secretName: \"bitwarden-tls-certs\"\n          items:\n            - key: \"tls.crt\"\n              path: \"cert.pem\"\n            - key: \"tls.key\"\n              path: \"key.pem\"\n            - key: \"ca.crt\"\n              path: \"ca.pem\"\n```\n\nTo use cert-manager the `hack` folder sets up the following certificate issuer:\n\n```yaml\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n  name: bitwarden-bootstrap-issuer\nspec:\n  selfSigned: {}\n---\napiVersion: cert-manager.io/v1\nkind: Certificate\nmetadata:\n  name: bitwarden-bootstrap-certificate\n  namespace: cert-manager\nspec:\n  # this is discouraged but required by ios\n  commonName: cert-manager-bitwarden-tls\n  isCA: true\n  secretName: bitwarden-tls-certs\n  subject:\n    organizations:\n      - external-secrets.io\n  dnsNames:\n    - external-secrets-bitwarden-sdk-server.default.svc.cluster.local\n    - bitwarden-sdk-server.default.svc.cluster.local\n    - localhost\n  ipAddresses:\n    - 127.0.0.1\n    - ::1\n  privateKey:\n    algorithm: RSA\n    encoding: PKCS8\n    size: 2048\n  issuerRef:\n    name: bitwarden-bootstrap-issuer\n    kind: ClusterIssuer\n    group: cert-manager.io\n---\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n  name: bitwarden-certificate-issuer\nspec:\n  ca:\n    secretName: bitwarden-tls-certs\n```\n\nThe important bits are the `dnsNames`. The first one is with the external-secrets helm release name, and the second one\nis a plain install. But also, external-secrets pins the release name of bitwarden, so that should work too. This will\ncreate a self-signed certificate for us to use internally. This certificate will later be provided to external-secrets\nso it can talk to the service.\n\nNext, we create a Certificate for bitwarden with the following request:\n\n```yaml\napiVersion: cert-manager.io/v1\nkind: Certificate\nmetadata:\n  name: bitwarden-tls-certs\n  namespace: default\nspec:\n  secretName: bitwarden-tls-certs\n  dnsNames:\n    - bitwarden-sdk-server.default.svc.cluster.local\n    - external-secrets-bitwarden-sdk-server.default.svc.cluster.local\n    - localhost\n  ipAddresses:\n    - 127.0.0.1\n    - ::1\n  privateKey:\n    algorithm: RSA\n    encoding: PKCS8\n    size: 2048\n  issuerRef:\n    name: bitwarden-certificate-issuer\n    kind: ClusterIssuer\n    group: cert-manager.io\n```\n\nThis is provided to bitwarden to initialize an HTTPS server.\n\n### External-secrets\n\nOn external-secrets side, there are two options to provide the certificate.\n\nOne is through `caBundle` which accepts the plain root certificate as a base64 encoded value.\n\nSecond is through `caProvider` that uses either a secret or a configmap and looks for the right key.\n\n**_WARNING_**: DO NOT provide the same secret as the server. For more detail read [cert-manager Trust Post](https://cert-manager.io/docs/trust/).\n\n### Insecure\n\nFor testing purposes, or if you trust your network that much, an `--insecure` flag has been provided that runs this\nserver as plain HTTP.\n\n## Testing\n\nRun `make prime-test-cluster` to launch a cluster and generate a certificate for the service. One done, simply run tilt\nto create the service. Note OSX users must install https://github.com/FiloSottile/homebrew-musl-cross in order to\nbuild the CGO library.\n\n## External-secrets documentation\n\nUsage on the external-secrets side is documented under [Bitwarden Secrets Manager Provider](https://external-secrets.io/latest/provider/bitwarden-secrets-manager/).\n\n## Troubleshooting\n\n### DNS Issues and getting 400 from the SDK\n\nUsing this server through external secrets there is a chance to receive something like this:\n```\n2025/03/26 09:16:24 \"GET https://bitwarden-sdk-server.external-secrets.svc.cluster.local:9998/rest/api/1/secret HTTP/1.1\" from 10.128.0.146:34830 - 400 154B in 5.601049ms\n2025/03/26 09:16:25 \"GET https://bitwarden-sdk-server.external-secrets.svc.cluster.local:9998/rest/api/1/secret HTTP/1.1\" from 10.128.0.146:34832 - 400 154B in 2.267271ms\n```\n\nThere is not much coming from the SDK in terms of errors unfortunately, but once tried with CURL there is this distinct error:\n\n```\n/home/curl_user $ curl bitwarden.com\ncurl: (6) Could not resolve host: bitwarden.com\n/home/curl_user $ curl api.bitwarden.com\ncurl: (6) Could not resolve host: api.bitwarden.com\n```\n\nOr something akin to that.\n\nIn this case, the solution is to put an extra `.` after the URLs like this:\n```yaml\napiURL: https://vault.bitwarden.eu./api\nidentityURL: https://vault.bitwarden.eu./identity\n```\n\nor\n\n```yaml\napiURL: https://api.bitwarden.com.\nidentityURL: https://identity.bitwarden.com.\n```\n\nThis should then fix the problem.\n\n#### Deployments using Helm\n\nIf you have deployed `bitwarden-sdk-server` using helm, you can set the value\n`podDnsConfig`, specifically setting `ndots` to `2` will prevent this problem\nfrom happening.\n\nPlease see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) for more details\n\n## License\n\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fexternal-secrets%2Fbitwarden-sdk-server.svg?type=large\u0026issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fexternal-secrets%2Fbitwarden-sdk-server?ref=badge_large\u0026issueType=license)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexternal-secrets%2Fbitwarden-sdk-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexternal-secrets%2Fbitwarden-sdk-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexternal-secrets%2Fbitwarden-sdk-server/lists"}