search

1Password / connect-helm-charts

Official 1Password Helm Charts
https://developer.1password.com
MIT License
90 stars 73 forks source link

Fix 1password-credentials secret injection #193

Closed demon closed 4 months ago

demon commented 4 months ago

Using the credentials as OP_SESSION is confusing, as it requires you to base64 encode the 1password-credentials.json file first. That's on top of having to base64 encode the secret in k8s. This twice base64- encoding is undocumented and unintuitve.

Since connect supports reading the credentials from disk, and we already create the volume from the secret anyway, just follow thru and mount the credentials at the expected location. I imagine this was the intent at some point.

As a sidebar: it was extra weird to find that OP_SESSION has a second use: it can also be used to override the location of 1password-credentials.json. I would advise separating these into two separate environment variables but that's out of scope for this change.

Finally, since we're mounting the file and not trying to double-base64 the data, swap stringData for data in the secret.

Obsoletes pull request #113, fixes issue #163 and issue #94, makes some progress on issue #167.

github-actions[bot] commented 4 months ago

⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).

If you're new to commit signing, there are different ways to set it up:

Sign commits with gpg

Follow the steps below to set up commit signing with `gpg`: 1. [Generate a GPG key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key) 2. [Add the GPG key to your GitHub account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account) 3. [Configure `git` to use your GPG key for commit signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-gpg-key)
Sign commits with ssh-agent

Follow the steps below to set up commit signing with `ssh-agent`: 1. [Generate an SSH key and add it to `ssh-agent`](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) 2. [Add the SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account) 3. [Configure `git` to use your SSH key for commit signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key)
Sign commits with 1Password

You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process. Learn how to [use 1Password to sign your commits](https://developer.1password.com/docs/ssh/git-commit-signing/). Watch the demo