onepassword-operator
onepassword-operator copied to clipboard
1Password
Support for stringData in Opaque secrets
Summary
For some usecases I'll need a Kubernetes Sercret from type Opaque with data in stringData and not in data. See also https://kubernetes.io/docs/concepts/configuration/secret/#restriction-names-data. That is a native Kubernetes use case which would be great, to have it in combination with 1Password Operator.
Use cases
Allow to store secret values that are not base64 encoded in stringData for applications that need unencrypted values in a Kubernetes Secret.
Proposed solution
Adding option to specify if Opaque secret will store the values in data or stringData.
Following OnePasswordItem ...
apiVersion: onepassword.com/v1
kind: OnePasswordItem
type: Opaque/stringData
metadata:
name: private-repo-creds
spec:
itemPath: vaults/mysecretvault/items/private-repo-creds
... should create a Kubernetes Secret like this:
apiVersion: v1
kind: Secret
metadata:
name: private-repo-creds
namespace: demo
stringData:
type: git
url: [email protected]:kubernetes/application
sshPrivateKey: |
-----BEGIN PRIVATE KEY-----
... wait for 1Password support for stringData in secrets
-----END PRIVATE KEY-----
Is there a workaround to accomplish this today?
If the application supports it, you can decode the base64 encoded value before use. In my case, that's not possible.
Discovered a new kubernetes application deployment that needs secrets with stringData. ArgoCD and Pinniped are two of them.
+1 I would say that the ArgoCD use case is a VERY valid reason to plan this work. Many companies are adopting ArgoCD for GitOps workflows.
Please see the github ssh secret example from the ArgoCD Docs
Hi there,
I just deploy the following OnePasswordItem for my argocd deployement and it work well.
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: cluster-managment-https-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
spec:
itemPath: "vaults/${env}/items/cluster-managment-https-repo"
and the secret generated is as follow:
Name: cluster-managment-https-repo │
│ Namespace: argocd │
│ Labels: argocd.argoproj.io/secret-type=repository │
│ Annotations: operator.1password.io/item-path: vaults/***/items/*** │
│ operator.1password.io/item-version: 1 │
│ │
│ Type: Opaque │
│ │
│ Data │
│ ==== │
│ username: 25 bytes │
│ password: 12 bytes │
│ type: 3 bytes │
│ url: 51 bytes
Argocd doesn't care if your secret is of type data or stringdata.
I hope it will help.
I just spend way to much time trying to find out why cert-manager gave errors contacting the cloudflare api. It is because the 1password secret was not (and cant) be defined as stringData.
Does not work
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: cloudflare-api-token
namespace: cert-manager
spec:
itemPath: "vaults/my-vault/items/cloudflare-api"
Works
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token
namespace: cert-manager
type: Opaque
stringData:
api-token: secret-token-here
Now I just have to make sure to not commit the secret 🫠
Would be great for this to be added to 1password somehow
