1P Connect fails to talk to its cloud: unable to get credentials and initialize API

1Password / connect-helm-charts

Official 1Password Helm Charts

https://developer.1password.com

MIT License

93 stars 74 forks source link

1P Connect fails to talk to its cloud: unable to get credentials and initialize API #114

Closed farcaller closed 1 year ago

farcaller commented 2 years ago

Your environment

Chart Version:

Helm Version: 1.8.1

Kubernetes Version: 1.24

What happened?

1P cannot talk home. The logs say:

{"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-09-20T10:09:36.36339545Z","level":3}
{"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 30s), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromBase64), illegal base64 data at input byte 0","timestamp":"2022-09-20T10:09:36.363794629Z","level":1}

What did you expect to happen?

1P works

Steps to reproduce

I created the secret from file just as it says in the docs:

k create secret generic op-credentials --from-file 1password-credentials.json

I verified that the secret's value (the JSON) is passed into the pod via OP_SESSION.

farcaller commented 2 years ago

It looks like the OP_SESSION should be either a base64 string of the json (that is base64 inside of secret's base64) or a path to the json file.

That, at least, got me to

{"log_message":"(I) established incoming bus peer connection","timestamp":"2022-09-20T10:35:25.519162154Z","level":3}

but I'm still waiting for the web frontend to acknowledge the connect server's existence.

farcaller commented 2 years ago

After sitting like that for 1 hour it still didn't progress. No new error messages in the logs (other than the health check).

ag-adampike commented 2 years ago

I'm still waiting for the web frontend to acknowledge the connect server's existence.

Hey @farcaller. Thanks for bringing this to our attention. If by web front end, you mean 1Password.com, then that is expected behaviour until a request is made to the Connect server.

The credentials file contains encrypted credentials that are unlocked with the same bearer token that is used to authenticate a request. Therefore you won't see an update in 1Password.com until a valid request is sent to your Connect server.

If you're able to send a request to say, list the vaults, you should be able to confirm that it's working as expected and the tile in 1Password.com should update accordingly. 🙂

Apollorion commented 2 years ago

I was getting the exact same issue you were, and this was how I got it working (Im on mac, not sure if that matters or not):

download 1password-credentials.json
cat 1password-credentials.json | openssl base64 | tr -d '\n' | pbcopy
kubectl edit secret op-credentials

paste the following, important to note: I had to change data to stringData. Dont forget to paste your clipboard (the result of pbcopy).

apiVersion: v1
stringData:
  1password-credentials.json: PASTE_HERE
kind: Secret
metadata:
  name: op-credentials
  namespace: onepassword
type: Opaque

as for the token, I just did the following (note: no base64 encoding required): kubectl create secret generic onepassword-token --from-literal=token=YOUR_NONBASE64ENCODED_TOKEN

jillianwilson commented 1 year ago

It looks like @Apollorion and @ag-adampike have provided solutions for you so I'll be closing this ticket. But feel free to reopen if you are still having issues.