k8s annotation works different then 1Password item with duplicate secret

insider89 commented 2 years ago

Your environment

Operator Version:

Connect Server Version: 1.5.1

Kubernetes Version: 1.22

What happened?

When I create secret with 1Password item, then duplicate secret in 1password(same title), secret keeps oldest values(which is per documentation)

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: ohrab-test
  namespace: ohrab-test
spec:
  itemPath: vaults/Ohrab/items/Ohrab-test Secrets

When I create secret with Deployment annotation, then duplicate secret in 1password(same title), secret sync from new(youngest) item in 1pass.

 operator.1password.io/item-path: "vaults/Ohrab/items/ohrab-test Secrets"
 operator.1password.io/item-name: "ohrab-test"

What did you expect to happen?

When using Deployment annotation expect to sync with oldest secret, not youngest, when multiple items with same Title are present in 1pass.

Steps to reproduce

Create 1pass item
Deploy OnePasswordItem to k8s cluster which point to the item from step1.
Deploy Deployment with 1pass annotation which point to the item from step1.
Duplicate secret in 1pass(same Title) and change some fields.

OnePasswordItem won't update secret as it will sync with the oldest one. Secret from Deployment annotation will be updated from new duplicated secret.

Notes & Logs

{"level":"info","ts":1651152548.9133658,"logger":"retrieve_item","msg":"2 1Password items found with the title \"ohrab-test Secrets\". Will use item \"fshtwhjh4jarblskkjgywhmgwm\" as it is the oldest."}
{"level":"info","ts":1651152914.1560187,"logger":"retrieve_item","msg":"2 1Password items found with the title \"Ohrab-test Secrets\". Will use item \"usohqwyezr7axnblhy4rpfp334\" as it is the oldest."}
{"level":"info","ts":1651152927.0827453,"logger":"retrieve_item","msg":"2 1Password items found with the title \"Ohrab-test Secrets\". Will use item \"fshtwhjh4jarblskkjgywhmgwm\" as it is the oldest."}
{"level":"info","ts":1651153259.0832474,"logger":"retrieve_item","msg":"2 1Password items found with the title \"ohrab-test Secrets\". Will use item \"usohqwyezr7axnblhy4rpfp334\" as it is the oldest."}
{"level":"info","ts":1651153259.1319327,"logger":"retrieve_item","msg":"2 1Password items found with the title \"ohrab-test Secrets\". Will use item \"usohqwyezr7axnblhy4rpfp334\" as it is the oldest."}
{"level":"info","ts":1651153349.1244397,"logger":"retrieve_item","msg":"3 1Password items found with the title \"ohrab-test Secrets\". Will use item \"aqhodcz6ibcn7ai3dfjhejxufa\" as it is the oldest."}
{"level":"info","ts":1651153373.1084738,"logger":"retrieve_item","msg":"3 1Password items found with the title \"ohrab-test Secrets\". Will use item \"fshtwhjh4jarblskkjgywhmgwm\" as it is the oldest."}
{"level":"info","ts":1651153373.1556656,"logger":"retrieve_item","msg":"3 1Password items found with the title \"ohrab-test Secrets\". Will use item \"aqhodcz6ibcn7ai3dfjhejxufa\" as it is the oldest."}

insider89 commented 2 years ago

I found the difference in behavior. In the annotation, I've used "ohrab-test Secret", while 1pass has "Ohrab-test Secret". So when 1 letter is lower case, it updates secret in k8s with the latest one, not the oldest. When 1st letter is upper case(same as secret in 1pass item), then it uses the oldest 1pass item.

 operator.1password.io/item-path: "vaults/Ohrab/items/Ohrab-test Secrets" - use oldest secret

 operator.1password.io/item-path: "vaults/Ohrab/items/ohrab-test Secrets" - use latest one

itemPath: vaults/Ohrab/items/Ohrab-test Secrets - use oldest secret

itemPath: vaults/Ohrab/items/ohrab-test Secrets - use oldest secret

Even with annotation, I can reproduce it time by time. Operator v1.4.0.

insider89 commented 2 years ago

Made more tests. Even when annotation has the same name(capitalization) as secret, it can use latest secret, not oldest. With 1pass item didn't reproduce it. So annotation and 1pass items have different behavior when multiple secrets exist.

1Password / onepassword-operator