When can we expect secret automations integrations with CI ?
I have attended webinar and you guys mentioned about integrating it to CI? when can we expect it to be released?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi sssanjaya,
Unfortunately I do not have an explicit timeline to share with you on formal support for CI integrations, we don't commit to release dates to make sure we allow adequate time to develop and test a great solution.
I can tell you that the team is actively working on this problem now. Is there a specific CI solution that you are looking to integrate with?
James
0 -
Yes, I am trying to implement it in gitlab ci, very new to 1password, have setup connect and operator. Will try to implement it in helm charts.
Please share me some helm chart which have 1password secret implementation? Thank you.0 -
We don't have any examples at this time of using Secrets Automation in Gitlab CI.
If you want to include 1Password secrets in your helm chart you will want to look at the operator documentation of the operator and have your helm chart generate custom resource definitions or using metadata annotations to create the necessary Kubernetes secrets.
0 -
thank you James! what you guys are building is awesome, 1password secrets automation is very promising and cannot wait to find solutions will share a blog how to if I can make it work.
0 -
Thanks sssanjaya! I look forward to hearing how you make out. I am just as excited to see what people outside 1Password do with Secrets Automation as I am for what the team here is building.
0 -
Sound fun and exciting! Getting hands dirty.
0 -
Enjoy! :)
0 -
apiVersion: v1 kind: Secret type: Opaque metadata: name: onesecret namespace: qa annotations: operator.1password.io/auto-restart: "true" operator.1password.io/item-path: "vaults/qa/items" operator.1password.io/item-name: "env"1. data inside env doesnot get pulled into onesecret, how do I create secret, am i missing something?
apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: onesecret namespace: qa spec: itemPath: "vaults/qa/items/env"
2. if i do like above, it creates secret with all data populated somewhere inside onepassword.com/v1/onepassworditems where I cannot access my secret data from my env helm chart.
0 -
Hey sssanjaya,
You need to use the Custom Resource Definition shown in the Usage section of the K8s operator repository.
Could you explain what you're trying to do when you say you can't read the secret from your Helm chart? Once I have a better idea of what you're trying to accomplish I'll be able to offer better advice.
0 -
After looking at the GitLab issue I think what you need to do is:
- Confirm you are creating the secret via the deployment annotation
- Make sure you're setting an
item_pathanditem_nameannotation - Refer to the secret using the
item_name
So your annotation would look like:
annotations: operator.1password.io/auto-restart: "true" operator.1password.io/item-path: "vaults/qa/items/env" operator.1password.io/item-name: "nameOfMy1PSecret"and your container's
envdefinition in the helm chart would need to be:env: - name: MY_SECRET_FROM_1P valueFrom: secretKeyRef: name: "nameOfMy1PSecret" key: <json key of the field you want from the 1password item>I can't comment about GitLab specifics, but it looks like they've got you on the right track.
0 -
Firstly, thank you.
1. with deployment annotations, where does it store all the secrets?
2. I tested and double checked item_path and item_name annotation is working with no typos. usingflaskdiag-envas name here
3. as item_name created by deployment is completely empty in my case.I have created onepassworditem manually with default namespace, which seems to be only config that pulls secrets data.
also if I try to use different namespace then secrets data are all empty, why is that?apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: flaskdiag-env spec: itemPath: "vaults/qa/items/flaskdiag-env"
kubectl describte output:
│ Name: flaskdiag-env │ │ Namespace: default │ │ Labels: <none> │ │ Annotations: operator.1password.io/item-path: vaults/kkx4he4ut7icvhsxezqi5szghm/items/jybjeaw6ed6uc65uq3uctdjgmm │ │ operator.1password.io/item-version: 23 │ │ │ │ Type: Opaque │ │ │ │ Data │ │ ==== │ │ metadata: 46 bytes │ │ mySuperSecret: 17 bytes │ │ op-password: 100 bytes │ │ GREETING: 39 bytes │ │ annotations: 44 bytes │ │ flaskdiag-env: 8 bytes │ │ label: 6 bytes
and my deployment yaml have secret env config as:
env: - name: flaskdiag-env valueFrom: secretKeyRef: name: flaskdiag-env key: GREETINGchecked linting and somehow spacing is messing up here when I paste.
Error: secret "flaskdiag-env" not found
also tried this config, no luck
envFrom: - secretRef: name: flaskdiag-envI know we can watch another namespace,
WATCH_NAMESPACEis enabled by default, doesn't it? assuming so, if I want to usedefaultnamespace, it doesnot throws sameError: secret "flaskdiag-env" not foundand if you need anything more to understand the issue here, please do let me know?
0 -
Thanks for all the great information, I think I understand what you're trying to do.
[...] if I try to use different namespace then secrets data are all empty, why is that?
You can only access a secret from the namespace you created it in. So if you never specify a namespace, it's likely defaulting to
defaultand that's why you can get the secret when you're in thedefaultnamespace. You must define the secret in each namespace if you want to grant multiple namespaces access to the secret. The operator will make sure the secret is the same across each namespace.The
WATCH_NAMESPACEconfig registers the provided namespaces with the OnePassword operator. When the OnePassword operator learns one of the secret resources was updated in 1Password, it sends a signal to each deployment in the registered namespaces.Let me know if that helps! Thanks again for the detailed debugging information.
0 -
I mean if i define namespace like in shown yaml below, all data/secrets are empty, why is that?
please ignore the spacings, it's messed up while copying and pasting.
apiVersion: v1 kind: Secret type: Opaque metadata: name: onesecret namespace: flaskdiag-27928923-qa annotations: operator.1password.io/auto-restart: "true" operator.1password.io/item-path: "vaults/qa/items/flaskdiag-env" operator.1password.io/item-name: "flaskdiag-env"kubectl describe output:
kubectl describe secret onesecret -n flaskdiag-27928923-qa Name: onesecret Namespace: flaskdiag-27928923-qa Labels: <none> Annotations: operator.1password.io/auto-restart: true operator.1password.io/item-name: flaskdiag-env operator.1password.io/item-path: vaults/qa/items/flaskdiag-env Type: Opaque Data ====in my case,here if I do not define namespace and left it empty or use default namespace, then only 1password secrets/data are populated. Is there any config that I might be missing, tried reinstalling 1password connect/operator for 3rd time today, no luck.
Using below command to config 1password connect helm operator:helm upgrade -i connect 1password/connect --set-file connect.credentials=1password-credentials.json --set operator.create=true
0 -
Sorry to hear you're still having issues! I believe I have a solution, though:
It looks like you're telling K8s to create a secret (
kind: Secret) -- with the 1Password Operator you don't need to define the secret because the operator will create the secret for you.Instead, you should be able to do:
apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: onesecret #this name will also be used for naming the generated kubernetes secret namespace: flaskdiag-27928923-qa spec: item-path: "vaults/qa/items/flaskdiag-env" annotations: operator.1password.io/auto-restart: "true"Once deployed, the operator will create a secret named
onesecretin your flask-diag namespace.You can see this in practice in our tests for the Connect helm charts:
Setting up the OnePassword resource: setup-secret-read.yml
Reading the resource as a secret: secret-read.ymlI'll see what I can do about updating the documentation to highlight this. Thanks again for your patience, we appreciate you raising the issue!
0
