search

1Password / connect-helm-charts

Official 1Password Helm Charts
https://developer.1password.com
MIT License
93 stars 74 forks source link

Using with Helm #39

Closed nodesocket closed 3 years ago

nodesocket commented 3 years ago

I am currently using standard Helm and a template like:

{{- $def := index .Values "default" -}}
apiVersion: v1
data:
  STRIPE_PUBLIC_KEY: {{ default $def.STRIPE_PUBLIC_KEY | b64enc }}
  STRIPE_SECRET_KEY: {{ default $def.STRIPE_SECRET_KEY | b64enc }}
  # .... etc ....
kind: Secret
metadata:
  name: api-env
type: Opaque

Then the deployment simply does:

envFrom:
- secretRef:
  name: api-env

Finally, in the values.yaml we specify the secrets like:

default:
  STRIPE_PUBLIC_KEY: foobar
  STRIPE_SECRET_KEY: secret-foobar

How would migrating to 1Password-operator in our Kubernetes cluster work?

florisvdg commented 3 years ago
  1. Move the secrets from your values.yaml to a 1Password vault
  2. Set up 1Password Secrets Automation for that vault
  3. Use the Helm chart to deploy Connect+operator
  4. For every secret you want to make available in your Kubernetes cluster, add a OnePasswordItem CRD where you specify which 1Password item should map to which Kubernetes Secret.

And all your deployment specs can stay the same if they were using Kubernetes Secrets already.

nodesocket commented 3 years ago

@florisvdg thanks for the help.

I have completed steps 1, 2, 3.

ubuntu@kubectl:/tmp$ kubectl get pods
NAME                                   READY   STATUS             RESTARTS   AGE
onepassword-connect-57bcf96ff8-vzvt6   2/2     Running            0          6m8s

When trying to store the CRD though, I am getting the following error::

ubuntu@kubectl:/tmp$ kubectl create -f test-onepassword-secret.yaml
error: unable to recognize "test-onepassword-secret.yaml": no matches for kind "OnePasswordItem" in version "onepassword.com/v1"

The contents of test-onepassword-secret.yaml is:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: onepassword-api-env
spec:
  itemPath: vaults/Acme-Test/items/api-env
nodesocket commented 3 years ago

@florisvdg found my problem, needed a few more flags when doing the Helm install:

helm install onepassword-connect 1password/connect --set-file connect.credentials=~/1password-credentials.json --set operator.create=true --set operator.token.value=<ONEPASSWORD_TOKEN>

I was able to store the secret using the above test-onepassword-secret.yaml, but arent I supposed to be able to see the secret when doing:

kubectl get secrets

I do see the onepassworditem CRD:

ubuntu@kubectl:/tmp$ kubectl describe onepassworditem onepassword-api-env
Name:         onepassword-api-env
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  onepassword.com/v1
Kind:         OnePasswordItem
Metadata:
  Creation Timestamp:  2021-04-20T22:45:33Z
  Generation:          1
  Managed Fields:
    API Version:  onepassword.com/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        .:
        f:itemPath:
    Manager:         kubectl-create
    Operation:       Update
    Time:            2021-04-20T22:45:33Z
  Resource Version:  58891898
  Self Link:         /apis/onepassword.com/v1/namespaces/default/onepassworditems/onepassword-api-env
  UID:               7ea1037f-039a-41f7-8c96-410696c0ce3b
Spec:
  Item Path:  vaults/Acme-Test/items/api-env
Events:       <none>
jillianwilson commented 3 years ago

@nodesocket When you set up using the helm chart did you create a cluster role, service account, and rolebinding for the operator?

nodesocket commented 3 years ago

@jillianwilson thanks for the reply. Doesn't the official helm chart create the cluster role, service account, and role binding? If not, why not? Also, I must have missed that in the documentation. Can you point me to it?

florisvdg commented 3 years ago

Yes, it does, but you have to explicitly enable it:

operator:
  create: true
  serviceAccount:
    create: true
  roleBinding:
    create: true
  clusterRole:
    create: true

In the next release, we'll make it create the RBAC resources by default so you'll only have to add --set operator.create=true.

nodesocket commented 3 years ago

@florisvdg ok thanks. Any idea when the next release is due to come out with RBAC resources created by default?

Also, can I use Secure Notes in 1Password? Does the Kubernetes integration care what sort type in 1Password it is?

florisvdg commented 3 years ago

v1.2.0 has just been released, but note: you do have to change the Helm repo URL to https://1password.github.io/connect-helm-charts to get the update.

And about the secure notes, the Kubernetes operator treats them like any other 1Password item. The Kubernetes Secret field where the note contents will get mapped to is notesPlain.