Closed grhawk closed 4 months ago
Thanks for this, that was exactly the problem I was getting!
Here's a kustomize patch that I used in my ArgoCD app to apply those changes, that could help others before the PR is merged
apiVersion: apps/v1
kind: Deployment
metadata:
name: onepassword-connect
spec:
template:
spec:
containers:
- name: connect-api
env:
- name: OP_SESSION
value: /home/opuser/.op/1password-credentials.json
valueFrom:
volumeMounts:
- name: credentials
mountPath: /home/opuser/.op/1password-credentials.json
subPath: 1password-credentials.json
- name: connect-sync
env:
- name: OP_SESSION
value: /home/opuser/.op/1password-credentials.json
valueFrom:
volumeMounts:
- name: credentials
mountPath: /home/opuser/.op/1password-credentials.json
subPath: 1password-credentials.json
@jillianwilson Hi, do you think this PR is still relevant? :)
@grhawk it's still a problem i guess-- I'm unable to use this chart.
⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}
) and force push them to this branch (git push --force-with-lease
).
If you're new to commit signing, there are different ways to set it up:
gpg
ssh-agent
Hey @grhawk thanks for the PR for this! I know this has been sitting here for a bit, but I reviewed today and tested and all looks good. My only feedback is that you sign your commit, as commits need to be signed to merge into main. I could sign your commit on your behalf but then it would look like I wrote your commit. I want to make sure you are properly credited for your work :)
Hi @jillianwilson, I ll sign the commit by the end of the week! Thank you for your time!!
Best Riccardo
I created a new PR since I could not sign the commit I did in this one (the rebase had conflicts and it was too long after I did the PR to remember what I did :))
I am closing this one and pls continue with https://github.com/1Password/connect-helm-charts/pull/196
Hi, thank you for your nice job!
I think I found a couple of minor issues. However, it could be I did not get the right way to use the chart :).
Double encoded secret
The main repo creates the
connect-credentials
secret using thestringData
method but provides binary strings: https://github.com/1Password/connect-helm-charts/blob/a9e4e31a83356e9c9ad46cec93741dd89943676a/charts/connect/templates/connect-credentials.yaml#L14-L20 This ends up encoding the string twice making the mounted file not accessible by the software. Using thedata
method works as expected since the helm chart takes care of converting to binary when needed.1password-credential.json
stored in an environmental variableThe main repo expects the server codes to use to read the credentials directly from the
OP_SESSION
variable. Thus the helm chart reads like this: https://github.com/1Password/connect-helm-charts/blob/a9e4e31a83356e9c9ad46cec93741dd89943676a/charts/connect/templates/connect-deployment.yaml#L61-L66 This stores the value of the secret in theOP_SESSION
variable but the docs of the op-server are quite clear on the fact that the variable only defines the path to the credential file.I fixed this issue by creating a volume out of the credential-secret and mounting it always in the expected spot. I don't see the need of allowing the users of the chart to define directly the
OP_SESSION
. In case, this can be easily modified though.