search

1Password / onepassword-operator

The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes Secrets with 1Password. The operator also handles autorestarting deployments when 1Password items are updated.
https://developer.1password.com/docs/connect/
MIT License
533 stars 60 forks source link

Support for all workloads #18

Open nesl247 opened 3 years ago

nesl247 commented 3 years ago

I'm not 100% sure as I haven't tested this yet, but from what it looks like (code and docs), this only works with Deployments. Please add support for all workloads: DaemonSet, CronJob, Job, etc.

florisvdg commented 3 years ago

The OnePasswordItem CRD works independently from any specific Kubernetes workload type, because the output will be a regular Kubernetes Secret. So anything that can use Kubernetes secrets (though Opaque only as of now) should be able to source them from 1Password.

What you're seeing about Deployments is a shorthand to quickly add a single secret to a deployment. We'll update the docs to make this a bit more clear.

Or were you talking about the auto restart feature?

nesl247 commented 3 years ago

I was referring to both. There shouldn't be a limitation in my opinion on the different workload types for the annotations.

SimonBarendse commented 3 years ago

Yes, definitely good to add support for more workload types!

@nesl247 In the meantime, does using OnePasswordItem CRDs work for your use case?

nesl247 commented 3 years ago

I believe so.

edif2008 commented 1 year ago

Based on #143 the annotations should work for the following as well (at least): Pod, CornJob, StatefulSet.

otherguy commented 1 year ago

Thanks @edif2008 for directing me here. So it's easier to find, I'll repeat my ticket here:

The operator.1password.io/item-path annotation isn't working when attached to a Pod or a StatefulSet, only when attached to a Deployment object.

For external Helm charts (like for example https://artifacthub.io/packages/helm/bitnami/rabbitmq) it would be great if it were possible to use the 1Password annotation directly on a Pod.

We use dozens of external Helm charts deployed through ArgoCD and we would love to use 1Password with many of them. When the Helm charts make use of Deployments, and allow custom annotations, it's simple. But for Helm charts that deploy StatefulSets or DaemonSets, this is not possible. And only very few charts allow creating arbitrary resources (like OnePasswordItems) through their values.

What would be really cool as well, is if we could create a Secret manually and use the operator.1password.io/item-path annotation directly on the Secret and it would populate the secret without the need for a second resource (be it OnePasswordItem or Deployments).

AWildBeard commented 1 year ago

I too am finding myself running into this limitation.