api connect not connecting: syncer not healthy?

I have deployed the connect using both docker-compose and Kubernetes, both, when testing, giving the same error.
Command used:
curl -X GET -H "Authorization: Bearer ey..." -H "Content-type: application/json" localhost:8080/v1/vaults/5mffkkbzyy5xfaj2egbuoiy67i
Error Result:
{"status":500,"message":"failed to initiate, review service logs for details"}%
Error log in onepassword-connect:
│ {"log_message":"(I) GET /v1/vaults/5mffkkbzyy5xfaj2egbuoiy67i","timestamp":"2021-05-29T00:03:17.6872223Z","level":3,"scope":{"request │
│ {"log_message":"(I) notifying syncer of new token","timestamp":"2021-05-29T00:03:17.6874074Z","level":3,"scope":{"request_id":"4d5771 │
│ {"log_message":"(I) awaiting healthy syncer before continuing","timestamp":"2021-05-29T00:03:17.6884078Z","level":3,"scope":{"request │
│ {"log_message":"(E) syncer did not become healthy, terminating request","timestamp":"2021-05-29T00:03:25.8494509Z","level":1,"scope": │
│ {"log_message":"(I) GET /v1/vaults/5mffkkbzyy5xfaj2egbuoiy67i completed (500: Internal Server Error)","timestamp":"2021-05-29T00:03:2 │


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: mac 11.3.1
Sync Type: Not Provided
Referrer: forum-search:secret automation

Comments

  • Additional information:
    Run Command:

    curl -X GET -H "Authorization: Bearer ey...." -H "Content-type: application/json" 10.1.0.57:8080/v1/vaults/5mffkkbzyy5xfaj2egbuoiy67i

    Result:

    {"status":500,"message":"failed to initiate, review service logs for details"}

    Check the secret setup in K8s:

    From sync process:

    From connect process:

  • James_1PJames_1P

    Team Member

    Hi parksidemx,

    The sync process is reporting that it could not find the 1password-credentials.json file to decrypt and authenticate with 1password.com. This file needs to be mounted into both containers, what does your configuration for loading the credentials look like.

    James

  • I pretty much just tried the instructions from onepassword-operator on github:
    created secret:

    kubectl create secret generic onepassword-token —from-literal=token=ey...

    installed using helm

    helm install connect 1password/connect --set-file connect.credentials=1password-credentials.json
    kubectl apply -f ./deploy/permissions.yaml
    kubectl apply -f ./deploy/crds/onepassword.com_onepassworditems_crd.yaml

    then started a shell-demo pod in the same namespace and login

    kubectl exec --stdin --tty shell-demo -- /bin/bash

    and tried the command:

    curl -X GET -H "Authorization: Bearer ey... " -H "Content-type: application/json" 10.1.0.57:8080/v1/vaults/5mffkkbzyy5xfaj2egbuoiy67i

    The bearer token and the k8s secret token was the same token.

    I also checked and confirmed the openpassword-token and op-credentials which have the correct values that I downloaded from myaccount.1password.com.

  • James_1PJames_1P

    Team Member

    Thanks for the extra context, I am going to try and reproduce this error. The logs look like something has gone wrong in the process of validating that the token is issued for the same server that the Credentials file was, but I will need to test it.

  • James_1PJames_1P

    Team Member

    Hi parksidemx,

    This is going to sound like a silly question, but was the token you are using created for the same secrets automation environment that your credentials file is for? I was able to reproduce the connect-sync log situation that you shared when I used a Token for "Server A" with "Server B"

  • edited June 1

    Hi James,
    I created all items from the same ACCOUNT.1password.com console using the integration/secret_automation against the same vault, generated one json file, but have generated two api tokens in different occasion. Based on my understanding, the json only need to be generated once, the api-token can be generated multiple times on-demand and can be used as long as the same valid token is used for one setup. Is my understanding incorrect on this?

  • James_1PJames_1P

    Team Member

    Hi,

    Your understanding is correct. You can generate multiple tokens for use with the same Connect server. The only caveat is that if you have configured 2 secrets automation environments in the 1password.com console the token for one server cannot be used with another.

    There is a cryptographic validation that the server performs combing the token and the credentials file. The logs you shared above indicate that the validation failed so I wanted to double check that you hadn't configured two separate connect servers.

    I am going to dig in a little more today to see if I can reproduce this with only 1 environment setup in the admin console.

  • Hi James_1P,
    Thank you very much for the explanation. Finally I find the issue. There were two JSON files generated, against the same vault, with exactly the same name ( name of secret automation ) by go through the secret automation twice during debug. I always thought they are the same. In fact they are different. Now the issue has been resolved. Thank you!

  • James_1PJames_1P

    Team Member

    Thanks so much for the update! I am glad you figured that out. I am going to take this experience back to the team and see what we can do to help make that more clear in the future.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file