{"id":25735955,"url":"https://github.com/small-hack/bitwarden-eso-provider","last_synced_at":"2026-02-13T01:39:59.924Z","repository":{"id":186722257,"uuid":"675633035","full_name":"small-hack/bitwarden-eso-provider","owner":"small-hack","description":"Helm chart to deploy an (unofficial) Bitwarden provider for the Kubernetes External Secrets Operator.","archived":false,"fork":false,"pushed_at":"2025-08-25T04:25:28.000Z","size":251,"stargazers_count":16,"open_issues_count":2,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-25T07:09:48.495Z","etag":null,"topics":["bitwarden","external-secrets","kubernetes-secrets"],"latest_commit_sha":null,"homepage":"https://small-hack.github.io/bitwarden-eso-provider/","language":"Smarty","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/small-hack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["jessebot"]}},"created_at":"2023-08-07T11:20:23.000Z","updated_at":"2025-08-25T04:25:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"71fa34d3-536b-4a56-8fbd-e7b9bcce5494","html_url":"https://github.com/small-hack/bitwarden-eso-provider","commit_stats":null,"previous_names":["jessebot/bitwarden-eso-provider","small-hack/bitwarden-eso-provider"],"tags_count":50,"template":false,"template_full_name":null,"purl":"pkg:github/small-hack/bitwarden-eso-provider","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/small-hack%2Fbitwarden-eso-provider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/small-hack%2Fbitwarden-eso-provider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/small-hack%2Fbitwarden-eso-provider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/small-hack%2Fbitwarden-eso-provider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/small-hack","download_url":"https://codeload.github.com/small-hack/bitwarden-eso-provider/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/small-hack%2Fbitwarden-eso-provider/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272873444,"owners_count":25007541,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-30T02:00:09.474Z","response_time":77,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bitwarden","external-secrets","kubernetes-secrets"],"created_at":"2025-02-26T05:34:27.923Z","updated_at":"2026-02-13T01:39:54.903Z","avatar_url":"https://github.com/small-hack.png","language":"Smarty","funding_links":["https://github.com/sponsors/jessebot"],"categories":[],"sub_categories":[],"readme":"# Bitwarden External Secrets Operator Provider Helm Chart\n\u003ca href=\"https://github.com/small-hack/bitwarden-eso-provider/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/small-hack/bitwarden-eso-provider?style=plastic\u0026labelColor=blue\u0026color=036440\u0026logo=GitHub\u0026logoColor=white\"\u003e\u003c/a\u003e [![](https://img.shields.io/docker/pulls/jessebot/bweso.svg)](https://cloud.docker.com/u/jessebot/repository/docker/jessebot/bweso)\n\nDeploy a Bitwarden Provider for the [External Secrets Operator](https://external-secrets.io) so you can use [`ExternalSecrets`](https://external-secrets.io/latest/introduction/overview/#externalsecret) from Bitwarden to create Kubernetes Secrets 🎉 \u003csub\u003eThis project is neither directly affiliated with the External Secrets Operator, nor the official Bitwarden®️ at this time.\u003c/sub\u003e\n\n## Usage\nFor helm, see the [README](./charts/bitwarden-eso-provider/README.md) for full details of the allowed values in [`values.yaml`](./charts/bitwarden-eso-provider/values.yaml), but, provided you already installed the Externeral secrets operator, this is all you need to test:\n\n```bash\n# add the helm repo locally\nhelm repo add bitwarden-eso-provider https://small-hack.github.io/bitwarden-eso-provider\n\n# install the bitwarden provider with credentials via the CLI\n# the appID is a random string you set as a unique identifier to bitwarden to avoid too many logged-in notification emails\nhelm install my-release bitwarden-eso-provider/bitwarden-eso-provider \\\n --set bitwarden_eso_provider.auth.password=my-secure-bitwarden-password \\\n --set bitwarden_eso_provider.auth.clientID=my-bitwarden-clientID \\\n --set bitwarden_eso_provider.auth.clientSecret=my-bitwarden-clientSecret\n --set bitwarden_eso_provider.auth.appID=my-custom-string \\\n```\n\n\u003e [!Note]\n\u003e [kind](https://kind.sigs.k8s.io/) cant pull the container for some reason so we are using a pre-pull and side-load workaround in our CI steps. Ref: [thread](https://stackoverflow.com/questions/63657414/kind-kubernetes-cluster-failed-to-pull-docker-images).\n\n## Why does this exist?\n\nWe really didnt want to make this, but after lots of searching and experimentation we have found that Bitwarden stands out from its competitors for the following reasons:\n\n1. A Generous free tier\n2. Open-Source with a permissive license\n3. Self-Hostable via VaultWarden\n4. Compatible with the External Secrets Operator\n5. Also a password manager with native desktop and mobile apps on Windows, Mac, Linux, Andorid, and IOS\n\n![secrets-suck drawio](https://github.com/small-hack/bitwarden-eso-provider/assets/84841307/88c7f483-ca08-48ec-80bc-8892f46b1c80)\n\n\n### Disable ClusterSecretStore Deployment\n\nIf you don't want to deploy any [`ClusterSecretStores`](https://external-secrets.io/latest/introduction/overview/#clustersecretstore), use the following arg to helm:\n```bash\nhelm install my-release bitwarden-eso-provider/bitwarden-eso-provider \\\n --set bitwarden_eso_provider.create_cluster_secret_store=false\n```\n\nor set it via the values:\n\n```yaml\nbitwarden_eso_provider:\n create_cluster_secret_store: false\n```\n\n### Use an existing Secret for Bitwarden credentials\nYou can pass in credentials plain text to this helm chart, and we'll create the values as a Kubernetes Secret, but it's recommended to instead provide an existing Secret so that the values are never plain text anywhere. You can do that by passing in the following in your `values.yaml`:\n\n```yaml\nbitwarden_eso_provider:\n auth:\n # -- use an existing Kubernetes Secret for bitwarden credentials\n existingSecret: \"my-cool-secert\"\n # -- Keys in the existing Kubernetes Secret to use for each sensitive value\n secretKeys:\n # -- secret key for Bitwarden password key\n password: \"BW_PASSWORD\"\n # -- secret key for Bitwarden client Secret to use to grabs secrets in the pod\n clientSecret: \"BW_CLIENTSECRET\"\n # -- secret key for Bitwarden client ID to use to grabs secrets in the pod\n clientID: \"BW_CLIENTID\"\n # -- bitwarden app ID to identify your pod to the Bitwarden server so that you don't receieve infinite email notifications every login\n appID: \"BW_APPID\"\n # -- secret key for Bitwarden hostname to use to grab secrets in the pod\n host: \"BW_HOST\"\n```\n\nOr setting it via the `helm` cli:\n\n```\nhelm install my-release bitwarden-eso-provider/bitwarden-eso-provider --set bitwarden_eso_provider.auth.existingSecret=\"my-cool-secret\"\n```\n\n# Example ExternalSecret\nBy default we will create three `ClusterSecretStores` for you (logins, fields \u0026 notes) that can then be accessed when you create a secret like [this](./examples/example-secret.yaml), but also printed below here:\n\n```yaml\n---\napiVersion: external-secrets.io/v1\nkind: ExternalSecret\nmetadata:\n # name of the ExternalSecret itself\n name: beatiful-external-secret\n namespace: coolapp4dogs\nspec:\n target:\n # name of the secret to create in Kubernetes\n name: beautiful-k8s-secret\n deletionPolicy: Delete\n template:\n type: Opaque\n data:\n # key in the Kubernetes secret to create\n password: |-\n {{ .password }}\n data:\n # value to pass to the Kubernetes secret, go-templated as {{ .password }} above\n - secretKey: password\n sourceRef:\n storeRef:\n # Use the bitwarden-login store to get password values from a Bitwarden item\n # does *not* contain custom fields. Use bitwarden-fields for Bitwarden items with custom fields\n name: bitwarden-login\n kind: ClusterSecretStore\n remoteRef:\n # This is the `name` of your Bitwarden item (not the id)\n key: my-beautiful-login-item-in-bitwarden\n # This is the property of the Bitwarden item that we want e.g. password\n property: password\n```\n\n## Testing\n\nSearching for items has to be done using JSONpath, you will need to install a utility for that, we use [bashtools/JSONPath.sh](https://github.com/bashtools/JSONPath.sh).\n\nTo query the endpoint you will need to deploy a maintenance container into the `external-secrets` namespace.\n\n```yaml\n---\nkind: PersistentVolumeClaim\napiVersion: v1\nmetadata:\n name: maintenance\n namespace: external-secrets\n annotations:\n # set to \"true\" to include in future backups\n k8up.io/backup: \"false\"\n # Optional:\n #labels:\n # app: multi-file-writer\nspec:\n # Optional:\n storageClassName: local-path\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n # Must be sufficient to hold your data\n storage: 16Gi\n---\nkind: PersistentVolumeClaim\napiVersion: v1\nmetadata:\n name: maintenance\n namespace: external-secrets\n annotations:\n # set to \"true\" to include in future backups\n k8up.io/backup: \"false\"\n # Optional:\n #labels:\n # app: multi-file-writer\nspec:\n # Optional:\n storageClassName: local-path\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n # Must be sufficient to hold your data\n storage: 16Gi\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: maintenance\n namespace: external-secrets\nspec:\n selector:\n matchLabels:\n app: onboardme\n template:\n metadata:\n labels:\n app: onboardme\n spec:\n restartPolicy: Always\n containers:\n - name: onboardme\n image: jessebot/onboardme:debian12\n command:\n - /bin/sleep\n - 3650d\n imagePullPolicy: IfNotPresent\n ports:\n - containerPort: 80\n name: \"http\"\n - containerPort: 443\n name: \"https\"\n - containerPort: 22\n name: \"ssh\"\n - containerPort: 5900\n name: \"vnc\"\n volumeMounts:\n - mountPath: /tmp\n name: maintenance\n volumes:\n - name: maintenance\n persistentVolumeClaim:\n claimName: maintenance\n```\n\n- Use `kubectl exec -n external-secrets -it \u003cpod name\u003e -- bash` to attach to the container.\n\n- Download JSONPath.sh\n\n ```bash\n sudo apt-get update \u0026\u0026 sudo apt-get install -y gawk\n curl -O https://raw.githubusercontent.com/mclarkson/JSONPath.sh/master/JSONPath.sh\n chmod +x JSONPath.sh\n ```\n\n- Query the endpoint\n\n ```bash\n curl bitwarden-eso-provider.external-secrets.svc.cluster.local:8087/list/object/items\n ```\n\n- Test a JSONPath filter\n\n ```bash\n curl bitwarden-eso-provider.external-secrets.svc.cluster.local:8087/list/object/items?search=zitadel \\\n | JSONPath.sh '$.data'\n\n ```\n\n## Status\nActively maintained mostly by @jessebot and @cloudymax, but we'd love to have your help if you'd like to make improvements (bugs or feature fixes). We mostly test on k3s. Feel free to submit a GitHub issue to _this_ repo (_not_ the Bitwarden repos) if you need help. You're also welcome to submit PRs to this repo, and we'd love to review them 💙 Star the repo if you find it helpful \u003c3\n\n## Acknowledgements\nWe followed the [example](https://external-secrets.io/v0.9.2/examples/bitwarden/) over at the ESO docs to create this helm chart :)\n\n## Contributors\n\n\u003c!-- readme: contributors -start --\u003e\n\u003ctable\u003e\n\t\u003ctbody\u003e\n\t\t\u003ctr\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/jessebot\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/2389292?v=4\" width=\"100;\" alt=\"jessebot\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eJessebot\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/cloudymax\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/84841307?v=4\" width=\"100;\" alt=\"cloudymax\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eMax!\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/jokajak\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/460913?v=4\" width=\"100;\" alt=\"jokajak\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eJokajak\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n\t\t\u003c/tr\u003e\n\t\u003ctbody\u003e\n\u003c/table\u003e\n\u003c!-- readme: contributors -end --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsmall-hack%2Fbitwarden-eso-provider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsmall-hack%2Fbitwarden-eso-provider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsmall-hack%2Fbitwarden-eso-provider/lists"}