CLI in local and Secret Automation in CI

dtruongdtruong
edited May 6 in Secrets Automation


I've created a setup that provides a single entry point between OP CLI for local users and OP SA for CI.
There was complexity around CircleCI constraints, but I've managed to get it running on my builds.
Right now it is in a place where I need to decide whether i accept setup complexity (orchestration of the two tools) for user experience (local development and secret admin).

Possibly not how the tools were designed to be used, but would be keen to get feedback and suggestions
https://github.com/dtruong0/1password-secret-automation-ci


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I have also noticed a reproducible bug
    
On circle CI If you make a secret request to connect-api as soon as the api begins accepting requests it will fail with this error
 {"status":500,"message":"failed to initiate, review service logs for details"}'

    Sync-api logs

    {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 8080 /meta/message","timestamp":"2021-04-26T00:23:00.251304284Z","level":3}
    {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2021-04-26T00:23:00.253058056Z","level":3}
    {"log_message":"(I) serving on :8080","timestamp":"2021-04-26T00:23:00.253093214Z","level":3}
    {"log_message":"(I) database initialization complete","timestamp":"2021-04-26T00:23:00.257781677Z","level":3}
    {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2021-04-26T00:23:00.258025603Z","level":3}
    
    

    Connect-api logs

    {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 8080 /meta/message","timestamp":"2021-04-26T00:22:59.479050881Z","level":3}
    {"log_message":"(I) starting 1Password Connect API ...","timestamp":"2021-04-26T00:22:59.479532167Z","level":3}
    {"log_message":"(I) serving on :8080","timestamp":"2021-04-26T00:22:59.479789076Z","level":3}
    {"log_message":"(E) failed to connectEndpoint for discovered peer: failed to transport.CreateConnection: [transport-websocket] failed to Dial endpoint: dial tcp 172.23.0.3:8080: connect: connection refused","timestamp":"2021-04-26T00:23:00.252528238Z","level":1}
    {"log_message":"(I) GET /v1/vaults/<vault-id>/items?filter=title%20eq%20%22<secret-name>%22","timestamp":"2021-04-26T00:23:04.03869959Z","level":3,"scope":{"request_id":"6a134224-8a53-4ea3-81e1-d59b4c43476e"}}
    {"log_message":"(I) notifying syncer of new token","timestamp":"2021-04-26T00:23:04.039431222Z","level":3,"scope":{"request_id":"6a134224-8a53-4ea3-81e1-d59b4c43476e","jti":"gztizaxkcwkeeietbz4gz6ante"}}
    {"log_message":"(I) awaiting healthy syncer before continuing","timestamp":"2021-04-26T00:23:04.039848505Z","level":3,"scope":{"request_id":"6a134224-8a53-4ea3-81e1-d59b4c43476e","jti":"gztizaxkcwkeeietbz4gz6ante"}}
    {"log_message":"(E) syncer did not become healthy, terminating request","timestamp":"2021-04-26T00:23:10.260223836Z","level":1,"scope":{"request_id":"6a134224-8a53-4ea3-81e1-d59b4c43476e","jti":"gztizaxkcwkeeietbz4gz6ante"}}
    {"log_message":"(I) GET /v1/vaults/<vault-id>/items?filter=title%20eq%20%22<secret-name>%22 completed (500: Internal Server Error)","timestamp":"2021-04-26T00:23:10.260635225Z","level":3,"scope":{"request_id":"6a134224-8a53-4ea3-81e1-d59b4c43476e","jti":"gztizaxkcwkeeietbz4gz6ante"}}
    
    

    But you will not get an error if you add a sleep here
    https://github.com/dtruong0/1password-secret-automation-ci/blob/master/scripts/env/docker-compose.yml#L13

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file