1Password
k8s annotation works different then 1Password item with duplicate secret
Your environment
Operator Version:
Connect Server Version: 1.5.1
Kubernetes Version: 1.22
What happened?
When I create secret with 1Password item, then duplicate secret in 1password(same title), secret keeps oldest values(which is per documentation)
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: ohrab-test
namespace: ohrab-test
spec:
itemPath: vaults/Ohrab/items/Ohrab-test Secrets
When I create secret with Deployment annotation, then duplicate secret in 1password(same title), secret sync from new(youngest) item in 1pass.
operator.1password.io/item-path: "vaults/Ohrab/items/ohrab-test Secrets"
operator.1password.io/item-name: "ohrab-test"
What did you expect to happen?
When using Deployment annotation expect to sync with oldest secret, not youngest, when multiple items with same Title are present in 1pass.
Steps to reproduce
- Create 1pass item
- Deploy OnePasswordItem to k8s cluster which point to the item from step1.
- Deploy Deployment with 1pass annotation which point to the item from step1.
- Duplicate secret in 1pass(same Title) and change some fields.
OnePasswordItem won't update secret as it will sync with the oldest one. Secret from Deployment annotation will be updated from new duplicated secret.
Notes & Logs
{"level":"info","ts":1651152548.9133658,"logger":"retrieve_item","msg":"2 1Password items found with the title \"ohrab-test Secrets\". Will use item \"fshtwhjh4jarblskkjgywhmgwm\" as it is the oldest."}
{"level":"info","ts":1651152914.1560187,"logger":"retrieve_item","msg":"2 1Password items found with the title \"Ohrab-test Secrets\". Will use item \"usohqwyezr7axnblhy4rpfp334\" as it is the oldest."}
{"level":"info","ts":1651152927.0827453,"logger":"retrieve_item","msg":"2 1Password items found with the title \"Ohrab-test Secrets\". Will use item \"fshtwhjh4jarblskkjgywhmgwm\" as it is the oldest."}
{"level":"info","ts":1651153259.0832474,"logger":"retrieve_item","msg":"2 1Password items found with the title \"ohrab-test Secrets\". Will use item \"usohqwyezr7axnblhy4rpfp334\" as it is the oldest."}
{"level":"info","ts":1651153259.1319327,"logger":"retrieve_item","msg":"2 1Password items found with the title \"ohrab-test Secrets\". Will use item \"usohqwyezr7axnblhy4rpfp334\" as it is the oldest."}
{"level":"info","ts":1651153349.1244397,"logger":"retrieve_item","msg":"3 1Password items found with the title \"ohrab-test Secrets\". Will use item \"aqhodcz6ibcn7ai3dfjhejxufa\" as it is the oldest."}
{"level":"info","ts":1651153373.1084738,"logger":"retrieve_item","msg":"3 1Password items found with the title \"ohrab-test Secrets\". Will use item \"fshtwhjh4jarblskkjgywhmgwm\" as it is the oldest."}
{"level":"info","ts":1651153373.1556656,"logger":"retrieve_item","msg":"3 1Password items found with the title \"ohrab-test Secrets\". Will use item \"aqhodcz6ibcn7ai3dfjhejxufa\" as it is the oldest."}
I found the difference in behavior. In the annotation, I've used "ohrab-test Secret", while 1pass has "Ohrab-test Secret". So when 1 letter is lower case, it updates secret in k8s with the latest one, not the oldest. When 1st letter is upper case(same as secret in 1pass item), then it uses the oldest 1pass item.
operator.1password.io/item-path: "vaults/Ohrab/items/Ohrab-test Secrets" - use oldest secret
operator.1password.io/item-path: "vaults/Ohrab/items/ohrab-test Secrets" - use latest one
itemPath: vaults/Ohrab/items/Ohrab-test Secrets - use oldest secret
itemPath: vaults/Ohrab/items/ohrab-test Secrets - use oldest secret
Even with annotation, I can reproduce it time by time. Operator v1.4.0.
Made more tests. Even when annotation has the same name(capitalization) as secret, it can use latest secret, not oldest. With 1pass item didn't reproduce it. So annotation and 1pass items have different behavior when multiple secrets exist.