Consider adding Managed Fields metadata for created Secrets

[mstyne]

Hello 1Password,

Summary

OnePasswordItem definitions automatically create a Secret object. The presence of these Secret objects are unexpected by CD tools, such as Argo CD. The CD tools will consider an application 'out of sync' due to the presence of these objects. Adding metadata to the Secret object indicating that the fields are managed by 1Password allows the CD tool to be informed that it can safely ignore the differences between the object stored in source and the object created in production.

Use cases

Having the ability to inform CD tools that a particular object is managed outside of the source control system will prevent CD tools from displaying 'false positives' about the status of a deployed application.

Proposed solution

Upon creation of a Secret object, additional metadata fields should be added to the object indicating the fields managed by 1Password (managedFields), as well as a managedFields.manager field.

Is there a workaround to accomplish this today?

I am not aware of a means to work around this issue in the context of Argo CD; it's possible other CD tools are more forgiving / flexible in this regard.

References & Prior Work

https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/ https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management

Thanks for considering this!

[kitos9112]

Same boat. My use case is slightly different but in line with @mstyne thoughts. I'm using a custom Kubernetes operator. My internal logic would be simplified quite a lot if I could add a custom attribute to the spec of a 1PasswordItem CRD and have that metadata passed over to the automatically-created secret.

[jillianwilson]

Hi all, thanks for the feedback! I'll have this tracked internally so we can look into implementing this in the future.