jkroepke / helm-secrets

A helm plugin that help manage secrets with Git workflow and store them anywhere
https://github.com/jkroepke/helm-secrets/wiki
Apache License 2.0
1.53k stars 129 forks source link

Implement secret backend for 1Password CLI #424

Closed jeliebig closed 10 months ago

jeliebig commented 11 months ago

Problem Statement

Currently there are two secret backends available: sops and vals However none of them support the 1Password CLI as a secret source.

Proposed Solution

Let's implement a new secret backend for the 1Password CLI!

Environment

Additional information

Acceptance Criteria

jkroepke commented 11 months ago

is 1Password Connect not an option?

https://github.com/helmfile/vals#1password-connect

jeliebig commented 11 months ago

That requires an accessible Connect server, which we currently don't have. Our Connect server is accessible from within our Kubernetes environment, so we'd need to forward the port to our machines to use this option.

Since the 1Password CLI is available on all of our machines I thought it would be nice to add that as a secret backend instead.

jkroepke commented 11 months ago

I will not integrate 1Password into core, because there is at least a 1Password integration available and I'm unable to maintain such an integration since I do not own a 1Password account and i have no experience with it.

But helm-secrets support custom backends which is desigend to integrate non core secret backends.

There are some community examples for integrate the Vault CLI, doppler CLI and gopass CLI already. Feel free to provide the 1password one, too.

Here is an example YAML

https://github.com/jkroepke/helm-secrets/blob/2ecba6bda2244dc60dff846382e5b373c29fd3f8/tests/assets/values/custom-backend/secrets.yaml

which will be parsed by

https://github.com/jkroepke/helm-secrets/blob/2ecba6bda2244dc60dff846382e5b373c29fd3f8/examples/backends/vault.sh

it works, because helm-secrets provides a library https://github.com/jkroepke/helm-secrets/blob/main/scripts/lib/backends/_custom.sh for custom integration which handle the yaml paring.