A Helm chart that deploys a Bitwarden CLI bridge and integrates it with the External Secrets Operator via ClusterSecretStore, allowing you to sync secrets from your Bitwarden vault directly into Kubernetes.
Bitwarden Vault
│
▼
Bitwarden CLI Pod (port 8087)
│
▼
ClusterSecretStore (ESO Webhook Provider)
│
▼
ExternalSecret → Kubernetes Secret
- Bitwarden CLI Pod — runs the CLI in
servemode, exposing a local REST API on port 8087. - Kubernetes Service — provides a stable in-cluster endpoint for the CLI pod.
- ClusterSecretStore — configured as a Webhook provider that queries the CLI API.
- External Secrets Operator — orchestrates syncing from Bitwarden into Kubernetes Secrets.
- External Secrets Operator installed in your cluster.
- A Bitwarden account with API access enabled.
helm repo add bitwarden-password-manager-eso https://user-cube.github.io/bitwarden-password-manager-eso
helm repo updateFor SOPS-encrypted credentials (recommended):
helm secrets install bitwarden-password-manager-eso bitwarden-password-manager-eso/bitwarden-password-manager-eso -f values.yaml -f secrets.enc.yaml| Store | JSONPath | Use case |
|---|---|---|
bitwarden-login |
$.data.login.username |
Usernames |
bitwarden-password |
$.data.login.password |
Passwords |
bitwarden-fields |
$.data.fields |
Custom fields |
bitwarden-notes |
$.data.notes |
Secure notes |
bitwarden-attachments |
$.data.attachments |
Attachments |
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: my-app-credentials
spec:
refreshInterval: "1h"
secretStoreRef:
name: bitwarden-password
kind: ClusterSecretStore
target:
name: my-app-k8s-secret
creationPolicy: Owner
data:
- secretKey: password
remoteRef:
key: "your-bitwarden-item-uuid"The remoteRef.key is the UUID of the item in your Bitwarden vault (visible in the web vault URL).
Full documentation is available at the project docs site:
For the full values reference see the chart README or ArtifactHub.