search

1Password / connect-helm-charts

Official 1Password Helm Charts
https://developer.1password.com
MIT License
90 stars 73 forks source link

fix: credential secret does not works if set from values #113

Closed grhawk closed 4 months ago

grhawk commented 2 years ago

Hi, thank you for your nice job!

I think I found a couple of minor issues. However, it could be I did not get the right way to use the chart :).

Double encoded secret

The main repo creates the connect-credentials secret using the stringData method but provides binary strings: https://github.com/1Password/connect-helm-charts/blob/a9e4e31a83356e9c9ad46cec93741dd89943676a/charts/connect/templates/connect-credentials.yaml#L14-L20 This ends up encoding the string twice making the mounted file not accessible by the software. Using the data method works as expected since the helm chart takes care of converting to binary when needed.

1password-credential.json stored in an environmental variable

The main repo expects the server codes to use to read the credentials directly from the OP_SESSION variable. Thus the helm chart reads like this: https://github.com/1Password/connect-helm-charts/blob/a9e4e31a83356e9c9ad46cec93741dd89943676a/charts/connect/templates/connect-deployment.yaml#L61-L66 This stores the value of the secret in the OP_SESSION variable but the docs of the op-server are quite clear on the fact that the variable only defines the path to the credential file.

I fixed this issue by creating a volume out of the credential-secret and mounting it always in the expected spot. I don't see the need of allowing the users of the chart to define directly the OP_SESSION. In case, this can be easily modified though.

jgoret commented 2 years ago

Thanks for this, that was exactly the problem I was getting!

Here's a kustomize patch that I used in my ArgoCD app to apply those changes, that could help others before the PR is merged

apiVersion: apps/v1
kind: Deployment
metadata:
  name: onepassword-connect
spec:
  template:
    spec:
      containers:
        - name: connect-api
          env:
            - name: OP_SESSION
              value: /home/opuser/.op/1password-credentials.json
              valueFrom:
          volumeMounts:
            - name: credentials
              mountPath: /home/opuser/.op/1password-credentials.json
              subPath: 1password-credentials.json
        - name: connect-sync
          env:
            - name: OP_SESSION
              value: /home/opuser/.op/1password-credentials.json
              valueFrom:
          volumeMounts:
            - name: credentials
              mountPath: /home/opuser/.op/1password-credentials.json
              subPath: 1password-credentials.json
grhawk commented 1 year ago

@jillianwilson Hi, do you think this PR is still relevant? :)

ElanHasson commented 10 months ago

@grhawk it's still a problem i guess-- I'm unable to use this chart.

github-actions[bot] commented 4 months ago

⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).

If you're new to commit signing, there are different ways to set it up:

Sign commits with gpg

Follow the steps below to set up commit signing with `gpg`: 1. [Generate a GPG key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key) 2. [Add the GPG key to your GitHub account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account) 3. [Configure `git` to use your GPG key for commit signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-gpg-key)
Sign commits with ssh-agent

Follow the steps below to set up commit signing with `ssh-agent`: 1. [Generate an SSH key and add it to `ssh-agent`](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) 2. [Add the SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account) 3. [Configure `git` to use your SSH key for commit signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key)
Sign commits with 1Password

You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process. Learn how to [use 1Password to sign your commits](https://developer.1password.com/docs/ssh/git-commit-signing/). Watch the demo
jillianwilson commented 4 months ago

Hey @grhawk thanks for the PR for this! I know this has been sitting here for a bit, but I reviewed today and tested and all looks good. My only feedback is that you sign your commit, as commits need to be signed to merge into main. I could sign your commit on your behalf but then it would look like I wrote your commit. I want to make sure you are properly credited for your work :)

grhawk commented 4 months ago

Hi @jillianwilson, I ll sign the commit by the end of the week! Thank you for your time!!

Best Riccardo

grhawk commented 4 months ago

I created a new PR since I could not sign the commit I did in this one (the rebase had conflicts and it was too long after I did the PR to remember what I did :))

I am closing this one and pls continue with https://github.com/1Password/connect-helm-charts/pull/196