Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using with Helm #39

Closed
nodesocket opened this issue Apr 13, 2021 · 8 comments
Closed

Using with Helm #39

nodesocket opened this issue Apr 13, 2021 · 8 comments

Comments

@nodesocket
Copy link

I am currently using standard Helm and a template like:

{{- $def := index .Values "default" -}}
apiVersion: v1
data:
  STRIPE_PUBLIC_KEY: {{ default $def.STRIPE_PUBLIC_KEY | b64enc }}
  STRIPE_SECRET_KEY: {{ default $def.STRIPE_SECRET_KEY | b64enc }}
  # .... etc ....
kind: Secret
metadata:
  name: api-env
type: Opaque

Then the deployment simply does:

envFrom:
- secretRef:
  name: api-env

Finally, in the values.yaml we specify the secrets like:

default:
  STRIPE_PUBLIC_KEY: foobar
  STRIPE_SECRET_KEY: secret-foobar

How would migrating to 1Password-operator in our Kubernetes cluster work?
@florisvdg
Copy link
Member

  1. Move the secrets from your values.yaml to a 1Password vault
  2. Set up 1Password Secrets Automation for that vault
  3. Use the Helm chart to deploy Connect+operator
  4. For every secret you want to make available in your Kubernetes cluster, add a OnePasswordItem CRD where you specify which 1Password item should map to which Kubernetes Secret.

And all your deployment specs can stay the same if they were using Kubernetes Secrets already.

@nodesocket
Copy link
Author

nodesocket commented Apr 20, 2021
edited
Loading

@florisvdg thanks for the help.

I have completed steps 1, 2, 3.

ubuntu@kubectl:/tmp$ kubectl get pods
NAME                                   READY   STATUS             RESTARTS   AGE
onepassword-connect-57bcf96ff8-vzvt6   2/2     Running            0          6m8s

When trying to store the CRD though, I am getting the following error::

ubuntu@kubectl:/tmp$ kubectl create -f test-onepassword-secret.yaml
error: unable to recognize "test-onepassword-secret.yaml": no matches for kind "OnePasswordItem" in version "onepassword.com/v1"

The contents of test-onepassword-secret.yaml is:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: onepassword-api-env
spec:
  itemPath: vaults/Acme-Test/items/api-env

@nodesocket
Copy link
Author

nodesocket commented Apr 20, 2021
edited
Loading

@florisvdg found my problem, needed a few more flags when doing the Helm install:

helm install onepassword-connect 1password/connect --set-file connect.credentials=~/1password-credentials.json --set operator.create=true --set operator.token.value=<ONEPASSWORD_TOKEN>

I was able to store the secret using the above test-onepassword-secret.yaml, but arent I supposed to be able to see the secret when doing:

kubectl get secrets

I do see the onepassworditem CRD:

ubuntu@kubectl:/tmp$ kubectl describe onepassworditem onepassword-api-env
Name:         onepassword-api-env
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  onepassword.com/v1
Kind:         OnePasswordItem
Metadata:
  Creation Timestamp:  2021-04-20T22:45:33Z
  Generation:          1
  Managed Fields:
    API Version:  onepassword.com/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        .:
        f:itemPath:
    Manager:         kubectl-create
    Operation:       Update
    Time:            2021-04-20T22:45:33Z
  Resource Version:  58891898
  Self Link:         /apis/onepassword.com/v1/namespaces/default/onepassworditems/onepassword-api-env
  UID:               7ea1037f-039a-41f7-8c96-410696c0ce3b
Spec:
  Item Path:  vaults/Acme-Test/items/api-env
Events:       <none>

@jillianwilson
Copy link
Contributor

@nodesocket When you set up using the helm chart did you create a cluster role, service account, and rolebinding for the operator?

@florisvdg florisvdg transferred this issue from 1Password/onepassword-operator Apr 28, 2021
@nodesocket
Copy link
Author

nodesocket commented May 2, 2021
edited
Loading

@jillianwilson thanks for the reply. Doesn't the official helm chart create the cluster role, service account, and role binding? If not, why not? Also, I must have missed that in the documentation. Can you point me to it?

@florisvdg
Copy link
Member

Yes, it does, but you have to explicitly enable it:

operator:
  create: true
  serviceAccount:
    create: true
  roleBinding:
    create: true
  clusterRole:
    create: true

In the next release, we'll make it create the RBAC resources by default so you'll only have to add --set operator.create=true.

@nodesocket
Copy link
Author

nodesocket commented May 3, 2021
edited
Loading

@florisvdg ok thanks. Any idea when the next release is due to come out with RBAC resources created by default?

Also, can I use Secure Notes in 1Password? Does the Kubernetes integration care what sort type in 1Password it is?

@florisvdg
Copy link
Member

v1.2.0 has just been released, but note: you do have to change the Helm repo URL to https://1password.github.io/connect-helm-charts to get the update.

And about the secure notes, the Kubernetes operator treats them like any other 1Password item. The Kubernetes Secret field where the note contents will get mapped to is notesPlain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nodesocket @florisvdg @jillianwilson