[Feature Request] Enable creating multiple 1Password secrets using deployment annotations

1Password / onepassword-operator

The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes Secrets with 1Password. The operator also handles autorestarting deployments when 1Password items are updated.

https://developer.1password.com/docs/connect/

MIT License

540 stars 59 forks source link

[Feature Request] Enable creating multiple 1Password secrets using deployment annotations #159

Open edif2008 opened 1 year ago

edif2008 commented 1 year ago

Summary

It would be great to be able to create multiple secrets from 1Password using annotations.

This is based on this customer's feedback.

This attempt doesn't work since the map keys have to be unique.

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    operator.1password.io/item-path: "vaults/test-k8s-cluster/items/nine-nine-test-secret"
    operator.1password.io/item-name: "nine-nine-test-secret"
    operator.1password.io/item-path: "vaults/test-k8s-cluster/items/demo-micro-configuration"
    operator.1password.io/item-name: "demo-micro-configuration"

Use cases

A deployment may need secrets that are stored in multiple 1Password items. To have the scope narrowed down, one would prefer to provide the secrets needed for a deployment as annotations.

Is there a workaround to accomplish this today?

Create the secrets using OnePasswordItem resources instead.

bdsoha commented 1 year ago

I have come across the same issue and was contemplating whether it is correct to aggregate all deployment credentials into a single secret. IMO, it is a better practice to split secrets based on single use.

A suggested solution would be to append a suffix the annotation, something like:

metadata:
  annotations:
    operator.1password.io/item-path/0: "vaults/test-k8s-cluster/items/nine-nine-test-secret"
    operator.1password.io/item-name/0: "nine-nine-test-secret"
    operator.1password.io/item-path/1: "vaults/test-k8s-cluster/items/demo-micro-configuration"
    operator.1password.io/item-name/1: "demo-micro-configuration"

andreasgrob commented 1 year ago

An even less verbose option would be to include the item name in the key:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-example
  annotations:
    operator.1password.io/item-path/SECRET_NAME1: "vaults/VAULT/items/ITEM1"
    operator.1password.io/item-path/SECRET_NAME2: "vaults/VAULT/items/ITEM2"
    operator.1password.io/item-path/SECRET_NAME3: "vaults/VAULT/items/ITEM3"

edif2008 commented 1 year ago

Hey folks! 👋 Thank you so much for providing additional usage examples. We really appreciate it. 😄

I do see the value of enabling multiple secrets to be consumed by a single application through annotation, so it is something worth looking into.

I don't have any timelines when the team will look into this, but in the meantime, you're more than welcome to contribute to this if you'd like and have the time. 😊

I will keep you posted when there's any progress on this from my team, though.