onepassword-operator icon indicating copy to clipboard operation
onepassword-operator copied to clipboard

Published 20 hours ago verified publisher icon 1Password

Generate new password when item does not exists in 1Password

Open kevinvalk opened this issue 3 years ago • 5 comments

Summary

I would like to generate new Kubernetes secrets and store them into 1Password. So we could do something like, if the 1Password secret does not exist, generate a new entry in the specified location according the given password rules (in the CDR).

Use cases

Like mentioned, this avoids the need to manually setup secrets. And any manual work, is a potential point that a (security) mistake can be made.

For example, when creating a Redis cluster in K8S, you can specify the password. Instead of hardcoding the password, I could let 1Password generate the password and store it directly in the "infrastructure" vault. Do note that in this case a pure password generation functionality without storing it in 1Password may be much better (e.g. there is no point in having Redis password in 1Password and may even be considered bad practice).

Another example is the creation of a Grafana instance. You want to give the admin user a secure password and share that with the relevant actual user. By leveraging the aforementioned capabilities, a strong password can be generated and shared with the actual user through 1Password.

Proposed solution

The OnePasswordItem CRD could be extended (somehow) to also expose the "generate": true capabilities of the add an item connect API reference https://support.1password.com/connect-api-reference/#add-an-item.

Is there a workaround to accomplish this today?

No, as there is no "write" capabilities in the onepassword operator as far as I can see.

References & Prior Work

https://github.com/mittwald/kubernetes-secret-generator

kevinvalk avatar Oct 03 '21 08:10 kevinvalk

Hey @kevinvalk,

This is an interesting use case. I do seem handy enabling the operator to trigger creating 1Password Items, in your case for generating passwords based on a recipe. I've raised this use case with my team and will come back to you if and when we decide to dive deeper into this issue. 😊

edif2008 avatar Jun 08 '22 18:06 edif2008

I'd love to see this feature enabled for secrets generated by some other process. My usecase is secrets generated by Rook for access to an object base storage, at the moment I have to manually copy them into OnePassword - an Upload feature would be fantastic.

andrewcole avatar Jun 30 '22 02:06 andrewcole

Same here. We would like to generate some secrets, which should survive a complete redeployment i.e. to an other cluster. That could be a secret for sessions. When we where on a running instance with traffic we would break all existing tokens if we only generate the secrets by an other operator in the cluster (i.e. https://github.com/mittwald/kubernetes-secret-generator).

@edif2008 do you have already some news about the ongoing work or discussion?

matthiasbaldi avatar Nov 24 '22 16:11 matthiasbaldi

Similar feature #9 was requested 2 years ago already.

adambro avatar Apr 13 '23 11:04 adambro

I'd love to see this feature enabled for secrets generated by some other process. My usecase is secrets generated by Rook for access to an object base storage, at the moment I have to manually copy them into OnePassword - an Upload feature would be fantastic.

I exactly have the same issue.

ehsan310 avatar Mar 05 '24 11:03 ehsan310