connect-helm-charts
connect-helm-charts copied to clipboard
1Password
fix: credential secret does not works if set from values
Hi, thank you for your nice job!
I think I found a couple of minor issues. However, it could be I did not get the right way to use the chart :).
Double encoded secret
The main repo creates the connect-credentials secret using the stringData method but provides binary strings:
https://github.com/1Password/connect-helm-charts/blob/a9e4e31a83356e9c9ad46cec93741dd89943676a/charts/connect/templates/connect-credentials.yaml#L14-L20
This ends up encoding the string twice making the mounted file not accessible by the software. Using the data method works as expected since the helm chart takes care of converting to binary when needed.
1password-credential.json stored in an environmental variable
The main repo expects the server codes to use to read the credentials directly from the OP_SESSION variable. Thus the helm chart reads like this:
https://github.com/1Password/connect-helm-charts/blob/a9e4e31a83356e9c9ad46cec93741dd89943676a/charts/connect/templates/connect-deployment.yaml#L61-L66
This stores the value of the secret in the OP_SESSION variable but the docs of the op-server are quite clear on the fact that the variable only defines the path to the credential file.
I fixed this issue by creating a volume out of the credential-secret and mounting it always in the expected spot. I don't see the need of allowing the users of the chart to define directly the OP_SESSION. In case, this can be easily modified though.
Thanks for this, that was exactly the problem I was getting!
Here's a kustomize patch that I used in my ArgoCD app to apply those changes, that could help others before the PR is merged
apiVersion: apps/v1
kind: Deployment
metadata:
name: onepassword-connect
spec:
template:
spec:
containers:
- name: connect-api
env:
- name: OP_SESSION
value: /home/opuser/.op/1password-credentials.json
valueFrom:
volumeMounts:
- name: credentials
mountPath: /home/opuser/.op/1password-credentials.json
subPath: 1password-credentials.json
- name: connect-sync
env:
- name: OP_SESSION
value: /home/opuser/.op/1password-credentials.json
valueFrom:
volumeMounts:
- name: credentials
mountPath: /home/opuser/.op/1password-credentials.json
subPath: 1password-credentials.json
⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).
If you're new to commit signing, there are different ways to set it up:
Sign commits with gpg
Follow the steps below to set up commit signing with gpg:
Sign commits with ssh-agent
Follow the steps below to set up commit signing with ssh-agent:
Sign commits with 1Password
You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process.
Learn how to use 1Password to sign your commits.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey @grhawk thanks for the PR for this! I know this has been sitting here for a bit, but I reviewed today and tested and all looks good. My only feedback is that you sign your commit, as commits need to be signed to merge into main. I could sign your commit on your behalf but then it would look like I wrote your commit. I want to make sure you are properly credited for your work :)
Hi @jillianwilson, I ll sign the commit by the end of the week! Thank you for your time!!
Best Riccardo
I created a new PR since I could not sign the commit I did in this one (the rebase had conflicts and it was too long after I did the PR to remember what I did :))
I am closing this one and pls continue with https://github.com/1Password/connect-helm-charts/pull/196