search

1Password / connect-helm-charts

Official 1Password Helm Charts
https://developer.1password.com
MIT License
93 stars 74 forks source link

Pod fails to create non-existent mountPath #143

Closed jeremyj closed 1 year ago

jeremyj commented 1 year ago

Your environment

Amazon EKS

Chart Version: secrets-injector-1.0.0

Helm Version: v3.11.3

Kubernetes Version: 1.25

What happened?

If a mountPath specified in a Pod does not exist it is not created

What did you expect to happen?

The non-existent mountPath should be created

Steps to reproduce

This definition does not create /data and returns /bin/sh: can't create /data/file.txt: nonexistent directory:

apiVersion: v1
kind: Pod
metadata:
  name: testing
  namespace: default
  annotations:
    operator.1password.io/inject: "testing"
spec:
  containers:
  - name: testing
    image: busybox
    command: ["/bin/sh"]
    args: ["-c","while true; do echo $(date) >> /data/file.txt; sleep 5; done"]
    env:
    - name: OP_CONNECT_HOST
      value: "http://onepassword-connect:8080"
    envFrom:
    - secretRef:
        name: op-connect-token
    volumeMounts:
    - mountPath: /data/
      name: storage
  volumes:
  - name: storage
    emptyDir: {}

This definition that does not invoke the Injector works as expected:

apiVersion: v1
kind: Pod
metadata:
  name: testing2
  namespace: default
spec:
  containers:
  - name: testing2
    image: busybox
    command: ["/bin/sh"]
    args: ["-c","while true; do echo $(date) >> /data/file.txt; sleep 5; done"]
    env:
    - name: OP_CONNECT_HOST
      value: "http://onepassword-connect:8080"
    envFrom:
    - secretRef:
        name: op-connect-token
    volumeMounts:
    - mountPath: /data/
      name: storage
  volumes:
  - name: storage
    emptyDir: {}

Notes & Logs

jeremyj commented 1 year ago

OK it seems we're talking about this bug: https://github.com/1Password/kubernetes-secrets-injector/issues/22

jeremyj commented 1 year ago

This chart is pulling image 1.0.0 while the bug referenced in the previous comment has been fixed in release 1.0.1. I've tried manually forcing the version in Chart.yml but I'm getting a certificate error: Warning FailedCreate 75s (x15 over 2m37s) replicaset-controller Error creating: Internal error occurred: failed calling webhook "secrets-injector.1password.com": failed to call webhook: Post "https://secrets-injector.default.svc:443/inject?timeout=10s": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "1password.com")

Can someone please update the chart?

jeremyj commented 1 year ago

OK I can specify the version with injector.version