github-actions[bot]
commented
3 months ago ⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).
If you're new to commit signing, there are different ways to set it up:
Sign commits with gpg
Follow the steps below to set up commit signing with `gpg`:
1. [Generate a GPG key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)
2. [Add the GPG key to your GitHub account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account)
3. [Configure `git` to use your GPG key for commit signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-gpg-key)
Sign commits with ssh-agent
Follow the steps below to set up commit signing with `ssh-agent`:
1. [Generate an SSH key and add it to `ssh-agent`](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent)
2. [Add the SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)
3. [Configure `git` to use your SSH key for commit signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key)
Sign commits with 1Password
You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process. Learn how to [use 1Password to sign your commits](https://developer.1password.com/docs/ssh/git-commit-signing/).
craigmiller160
THE PROBLEM
The 1Password connect operator supports adding a TLS certificate for direct intra-cluster traffic (via its kubernetes service). In many cases, securing intra-cluster traffic with TLS (ie, a no-trust scenario) means assigning a certificate that is either self-signed or signed by an internal organization CA. In both cases, this then means that the 1Password operator needs to be able to trust this certificate.
In its current form, there is no way to configure the 1Password operator to trust a certificate from an unknown authority, which makes a no-trust secure internal network very difficult to construct.
MY SOLUTION
I have added a new optional values.yaml property,
operator.tls.trust.secret. It should point to the same secret used to providetls.crtto the connect application. If a user provides that value, the secret is mounted as a volume in the operator application, and the golang SSL_CERT_FILE environment variable is set. This results in the operator successfully trusting the certificate used by the connector.TESTING PERFORMED
I have deployed 1Password to my own kubernetes environment with the fork I made to perform this change, and I have validated that everything works end-to-end.
NEXT STEPS
I sincerely hope the 1Password team will review this contribution. Any changes you request I will be happy to perform. Thank you so very much.