search

1Password / onepassword-operator

The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes Secrets with 1Password. The operator also handles autorestarting deployments when 1Password items are updated.
https://developer.1password.com/docs/connect/
MIT License
540 stars 59 forks source link

Support mounting multiple secrets together #59

Open villesau opened 3 years ago

villesau commented 3 years ago

Summary

Would be useful to be able to mount multiple secrets in single secret.

Use cases

Kubernetes supports following:

Secret definition:

apiVersion: v1
kind: Secret
metadata:
  name: my-secrets
type: Opaque
data:
  SECRET_1: "base64"
  SECRET_2: "base64"

which is mounted liket this:

          envFrom:
            - secretRef:
                name: my-secrets

This results in SECRET_1 & SECRET_2 being accessible via env variables inside the container.

However, to my understanding 1pw operator can currently carry only 1 field in my-secrets so this is not possible.

Proposed solution

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name will also be used for naming the generated kubernetes secret
spec:
  SECRET_1: "vaults/vault/items/secret-1"
  SECRET_2: "vaults/vault/items/secret-2"

Alternatively would be nice if 1password had a native support key-value pair type secrets built in.

Is there a workaround to accomplish this today?

Mount every secret individually. This increases boilerplate and reduces readability. E: Seems that there's a way to mount multiple secrets with one file: https://github.com/1Password/onepassword-operator/pull/60 However, there is still no way to add multiple key / value pairs per secret.

jillianwilson commented 3 years ago

Hi there,

The 1Password operator actually can place multiple fields in a secret. When you create a secret using 

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name will also be used for naming the generated kubernetes secret
spec:
  SECRET_1: "vaults/vault/items/secret-1"

each field in the 1Password item will become a field in the data of the kubernetes secret. For example if you have a username and password stored in secret-1 in 1Password. This will translate to the following:

apiVersion: v1
kind: Secret
metadata:
  name: secret-1
type: Opaque
data:
  username: "base64"
  password: "base64"

Is this an acceptable solution for you or is it necessary for you to be able to place multiple 1Password items (and their fields) within a secret?

villesau commented 3 years ago

@jillianwilson what happens to testing-secrets and SECRET_1? And where the secret-1 comes from? An example in the documentation would probably help to understand this!

lhriley commented 3 years ago

@jillianwilson I'm not sure that this is a valid example:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name will also be used for naming the generated kubernetes secret
spec:
  SECRET_1: "vaults/vault/items/secret-1"

When I specify any key other than itemPath I get a validation error. With this in mind, the following example would definitely not work:

 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
   name: testing-secrets #this name will also be used for naming the generated kubernetes secret
 spec:
   SECRET_1: "vaults/vault/items/secret-1"
   SECRET_2: "vaults/vault/items/secret-2"
jillianwilson commented 2 years ago

Hi again,

Apologies, as it appears there was a typo in my last reply.

What I meant to explain was that by linking one 1Password item to a Kubernetes secret, then all the item's fields will be available in the associated Kubernetes Secret, thus multiple secrets (for example a username, and password on a login item) can be represented in one Kubernetes Secret. If you are looking to link multiple 1Password Items to a kubernetes secret, this is not currently possible, but hopefully the above solution is suitable.

Amended example:


apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name can be anything, but will created a kubernetes secret with the same name
spec:
  itemPath: "vaults/<vault-id>/items/<item-id>"```
azhurbilo commented 2 years ago

If you are looking to link multiple 1Password Items to a kubernetes secret, this is not currently possible, but hopefully the above solution is suitable

as workaround it could be ok: like 1 app in k8s == 1 secret item in 1password with multiple password fields

but in this case we have a problem that if different apps in k8s use the same password we need duplicate it (copy/paste) in different 1password secrets