Bitwarden Kubernetes

Posted on  by admin

Here’s a simple way to update your Kubernetes secrets directly from envwraden, so they are always in-sync. In this example, we would create a Bitwarden entry called production-secrets, and inside it, define our secrets as custom fields. Each custom fields holds a secret, e.g. MYSECRET=shush, PASSWORD=I'm not telling. In this video I will show you how to deploy a NextCloud instance in your Kubernetes cluster using Helm. I have used LXC containers in my Kubernetes cluster.

Heard about the latest password breach (since lunch)? HaveYouBeenPowned yet (today)? Passwords are broken, and as the amount of sites for which you need to store credentials grows exponetially, so does the risk of using a common password.

'Duh, use a password manager', you say. Sure, but be aware that even password managers have security flaws.

OK, look smartass.. no software is perfect, and there will always be a risk of your credentials being exposed in ways you didn't intend. You can at least minimize the impact of such exposure by using a password manager to store unique credentials per-site. While 1Password is king of the commercial password manager, BitWarden is king of the open-source, self-hosted password manager.

Enter Bitwarden..

A: Bitwarden takes automated nightly backups of the bitwarden-mssql database container in order to protect your stored credentials. For help with manual backups, or help restoring a backup, see Backup your Hosted Data.

Bitwarden is a free and open source password management solution for individuals, teams, and business organizations. While Bitwarden does offer a paid / hosted version, the free version comes with the following (better than any other free password manager!):

  • Access & install all Bitwarden apps
  • Sync all of your devices, no limits!
  • Store unlimited items in your vault
  • Logins, secure notes, credit cards, & identities
  • Two-step authentication (2FA)
  • Secure password generator
  • Self-host on your own server (optional)

Ingredients¶

Ingredients

Already deployed:

  • Docker swarm cluster with persistent shared storage
  • Traefik configured per design
  • DNS entry for the hostname you intend to use (or a wildcard), pointed to your keepalived IP

Related:

  • Traefik Forward Auth to secure your Traefik-exposed services with an additional layer of authentication

Preparation¶

Setup data locations¶

We'll need to create a directory to bind-mount into our container, so create /var/data/bitwarden:

Setup environment¶

Create /var/data/config/bitwarden/bitwarden.env, and leave it empty for now.

Question

Bitwarden kubernetes vs

What, why an empty env file? Well, the container supports lots of customizations via environment variables, for things like toggling self-registration, 2FA, etc. These are too complex to go into for this recipe, but readers are recommended to review the dani-garcia/bitwarden_rs wiki, and customize their installation to suite.

Setup Docker Swarm¶

Create a docker swarm config file in docker-compose syntax (v3), something like this:

Tip

I automatically and instantly share (with my sponsors) a private 'premix' git repository, which includes necessary docker-compose and env files for all published recipes. This means that sponsors can launch any recipe with just a git pull and a docker stack deploy 👍.

🚀 Update: Premix now includes an ansible playbook, so that sponsors can deploy an entire stack + recipes, with a single ansible command! (more here)

Note

Note the clever use of two Traefik frontends to expose the notifications hub on port 3012. Thanks @gkoerk!

Serving¶

Launch Bitwarden stack¶

Launch the Bitwarden stack by running docker stack deploy bitwarden -c <path -to-docker-compose.yml>

Browse to your new instance at https://YOUR-FQDN, and create a new user account and master password (Just click the **Create Account* button without filling in your email address or master password*)

Get the apps / extensions¶

Once you've created your account, jump over to https://bitwarden.com/#download and download the apps for your mobile and browser, and start adding your logins!

Chef's notes 📓¶

  1. You'll notice we're not using the official container images (all 6 of them required!), but rather a more lightweight version ideal for self-hosting. All of the elements are contained within a single container, and SQLite is used for the database backend. ↩

  2. As mentioned above, readers should refer to the dani-garcia/bitwarden_rs wiki for details on customizing the behaviour of Bitwarden. ↩

  3. The inclusion of Bitwarden was due to the efforts of @gkoerk in our Discord server- Thanks Gerry! ↩

Tip your waiter (sponsor) 👏¶

Did you receive excellent service? Want to make your waiter happy? (..and support development of current and future recipes!) Sponsor me on Github / Patreon, or see the contribute page for more (free or paid) ways to say thank you! 👏

Flirt with waiter (subscribe) 💌¶

Want to know now when this recipe gets updated, or when future recipes are added? Subscribe to the RSS feed, or leave your email address below, and we'll keep you updated. (*double-opt-in, no monkey business, no spam)

Your comments? 💬¶

Last update: February 4, 2021

Bitwarden On Kubernetes

Overall, most Linux distributions offer sane, reasonable defaults that balance security and functionality quite well. However, most of the security mechanisms are transparent, running in the background, and you still might require some additional, practical software to bolster your security array. Back in July, we talked about handy productivity applications available in the Snap Store, and today we’d like to take a glimpse at the security category, and review several cool, interesting snaps.

Once upon a time, password management was a simple thing. There were few services around, the Internet was a fairly benign place, and we often used the same combo of username and password for many of them. But as the Internet grew and the threat landscape evolved, the habits changed.

In the modern Web landscape, there are thousands of online services, and many sites also require logins to allow you to use their full functionality. With data breaches a common phenomenon nowadays, tech-savvy users have adopted a healthier practice of avoiding credentials re-use. However, this also creates a massive administrative burden, as people now need to memorize hundreds of usernames and their associated passwords.

The solution to this fairly insurmountable challenge is the use of secure, encrypted digital password wallets, which allow you to keep track of your endless list of sites, services and their relevant credentials.

Bitwarden Kubernetes For Kids

KeePassXC does exactly that. The program comes with a simple, fairly intuitive interface. On first run, you will be able to select your encryption settings, including the ability to use KeePassXC in conjunction with a YubiKey. Once the application is configured, you can then start adding entries, including usernames, passwords, any notes, links to websites, and even attachments. The contents are stored in a database file, which you can easily port or copy, so you also gain an element of extra flexibility – as well as the option to back up your important data.

Given that we’ve discussed password management, the next logical step is to talk about collaborative development, configuration files and passwords (secrets) that sometimes need to be used or shared in projects. If you use public repositories (or even private ones), there is always some risk in keeping credentials out in the open.

Secrethub-cli is designed to provide a workaround to this issue by allowing developers to store necessary credentials (like database usernames and passwords) inside encrypted vaults, and then inject them into configuration files only when necessary.

You start by signing up for an account, after which you can use the command-line interface to populate your vault. The next step is to create template files (.tpl) with specifically defined secrets placeholders, and then pass the files to secrethub-cli, which will inject the right credentials based on the provided placeholders (username and password), and then print out the result to the standard output, or if you like, into a service configuration file for your application.

This way, the command will run correctly if the right secrethub-cli account is used, but it won’t work for anyone else, allowing reliable sharing of project work. The application is available for free for personal projects.

This software might very well be familiar to you, as we’ve discussed Wormhole in greater detail several months ago. It is an application designed to allow two end systems to exchange files in a safe, secure manner. Rather than using email or file sharing services, you can send content to your friends and colleagues directly, using Wormhole codes, which allow the two sides to identify one another and exchange data. Wormhole is a command-line program, but it is relatively simple to use. It also offers unlimited data transfers, and can work with directories too (and not just individual files).

System restarts can be a nuisance, and might lead to a (temporary) loss of productivity. Sometimes though, they are necessary, especially if your machine has just received a slew of security updates. Livepatch is a Canonical tool, offering rebootless kernel patching. It runs as a service on a host and occasionally applies patches to the kernel, which will be used until a full kernel update and the subsequent restart. It is a convenient and practical solution, especially in the mission-critical server environment.

However, home users can benefit from this product too. Livepatch is available for free to Ubuntu users on LTS releases (like 16.04 or 18.04). The only additional requirement is that you do have to register for an Ubuntu SSO account, which will provide you with a token, which you can then use to enable the livepatch service on up to three systems (for free).

Once Livepatch is installed and enabled, it will run in the background, doing its job. As a technology, Livepatch fixes cannot be created for every single kernel vulnerability, but a large number of them can be mitigated, dispensing the need for frequent reboots. You can always check the status of the service on the command line, to see that it is working:

Bitwarden Kubernetes For Dummies

We hope you enjoyed this piece. Software security often has a somber angle, but we’d like to believe that today’s blog post dispels that notion. The exercise of practicality, data integrity and the ability to protect your important information does not have to be an arduous and difficult task. In fact, you might even enjoy yourself.

We would also suggest you visit the Snap Store and explore; who knows, you might find some rather useful applications that you haven’t really thought of or known before. If you have any comments, please join our forum for a discussion.

Bitwarden Kubernetes Python

Photo by Jason Blackeye on Unsplash.

Ubuntu desktop

Bitwarden Kubernetes Secrets

Learn how the Ubuntu desktop operating system powers millions of PCs and laptops around the world.

Bitwarden Kubernetes Tutorial

Newsletter signup