search

digitalis-io / vals-operator

Kubernetes Operator to sync secrets between different secret backends and Kubernetes
Apache License 2.0
156 stars 8 forks source link

Can't use 1password secrets? #78

Closed shakefu closed 4 months ago

shakefu commented 4 months ago

I am trying to use vals-operator to pull secrets from 1password, but getting the following error: 

Failed to get secrets from secrets store expand op://Engineering/k8s-test-secret/credential: no provider registered for scheme "op"

On version 0.7.9 of the chart:

src:
  repoUrl: "https://digitalis-io.github.io/helm-charts"
  chart: vals-operator
  targetRevision: 0.7.9
  releaseName: vals-operator

helm:
  values: |
    secretEnv:
    - secretRef:
        name: vals-onepassword

With a manually created secret passed into the chart:

# $ kubectl get secret -n vals-operator vals-onepassword -o yaml
apiVersion: v1
data:
  OP_SERVICE_ACCOUNT_TOKEN: <HIDDEN>
kind: Secret
metadata:
  creationTimestamp: "2024-07-22T23:25:07Z"
  name: vals-onepassword
  namespace: vals-operator
  resourceVersion: "92572"
  uid: 7444c6ab-4f83-4589-84d8-bdc1f807b39b
type: Opaque

... and I verified the chart is correctly rendering that secretRef into the Pod:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: '2024-07-22T23:31:29Z'
  generateName: vals-operator-7bd87cffb8-
  labels:
    app.kubernetes.io/instance: vals-operator
    app.kubernetes.io/name: vals-operator
    pod-template-hash: 7bd87cffb8
  name: vals-operator-7bd87cffb8-4jd7t
  namespace: vals-operator
spec:
  containers:
    - envFrom:
        - secretRef:
            name: vals-onepassword
      image: 'ghcr.io/digitalis-io/vals-operator:v0.7.9'
      imagePullPolicy: IfNotPresent
      name: vals-operator
# ...

... and here's the secret definition:

apiVersion: digitalis.io/v1
kind: ValsSecret
metadata:
  name: k8s-test-secret
spec:
  type: Opaque
  data:
    username:
      ref: ref+op://Engineering/k8s-test-secret/username
      encoding: text
    credential:
      ref: ref+op://Engineering/k8s-test-secret/credential
      encoding: text

Is there something I'm missing here? Or is 1password not supported in the Operator?

shakefu commented 4 months ago

It looks like the "vals" dependency in go.mod is well behind the main project... could that be the issue?

shakefu commented 4 months ago

Confirmed with a local build that updating the helmfile/vals dependency makes the 1password provider available.

{"level":"info","ts":"2024-07-23T00:22:10Z","logger":"controllers.vals-operator","msg":"Updated secret","name":"k8s-test-secret","namespace":"in-cluster"}

And created successfully:

$ kubectl get secret -n in-cluster k8s-test-secret -o yaml | yq '.data.credential' | base64 -d
test-password%
$ kubectl get secret -n in-cluster k8s-test-secret -o yaml | yq '.data.username' | base64 -d
test-username%
digiserg commented 4 months ago

Hi @shakefu

Thank you very much for your contribution. I've built a pre release for testing. I don't have 1password to test with at the moment but I'll try to test it soon.

https://github.com/digitalis-io/vals-operator/releases/tag/v0.7.10-beta2

If you're using the helm chart installation, remember to set

--set image.tag=v0.7.10-beta2