Setup on Heroku or other recommended host

Curious if any of you have managed to get 1Password Connect running on Heroku. They don't support the docker-compose.yml setup unfortunately so it would be nice to know if there's an alternative approach.

Barring that are there recommended hosts where 1Password Connect can be easily setup for use by our various apps and automation pipelines?

Suggestion: would be nice if 1Password offered a hosted 1Password Connect service to avoid having to set it up elsewhere and keep it all "in house" within the 1Password ecosystem.

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I am not sure exactly why the devs decided to separate the sync/api in two different containers/binaries, if you check the containers you can see that they just run two golang binaries (connect-api, connect-sync) so you can copy them into a single individual container and run it that way inside of a Heroku instance.

    I think it would be interesting to have more insight on the reasoning behind running two individual processes instead of combining everything into the same binary and also whats the API on the connect-sync binary is for.

    Finally it could also be interesting for the 1Password team to release the binaries as a standalone download for a a more flexible setup instead of having to use docker/kubernetes.

  • James_1PJames_1P

    Team Member

    Hi,

    I am happy to chime in on the motivation for the separate processes architecture. The motivation here was to provide a HA capable deployment where you can horizontally scale the API container to load balance requests while having a single sync process keeping the data consistent across the nodes.

    We are looking at expanding the deployment options (both documentation and technology) to better support the broad number of deployment targets and situations in the future.

  • Oh that make sense didn't though about that use case, regarding the port 8080 of the sync process could you provide some more details on what it is used for? Not sure if it was considered before, but adding a flag to change the port would be a useful feature for future releases of the binaries since that could allow users to run both binaries in the same container without issues (right now since both binaries uses port 8080 you need to do some extra workarounds).

    Thanks for the insight!

  • James_1PJames_1P

    Team Member

    The port 8080 on the sync process is used for 2 things. First is that the sync container advertises /health and /heartbeat endpoints for orchestration tools to monitor the container. Secondly the port is used as part of the container to container communication that they do to maintain shared lock state and ensure sync has completed.

    The good news is that we have some docs on docker hub that include a few of the environment variables that can be used to customize the containers. (The better news is that we are working on improving these docs in the near future)

    For your case you will want the OP_HTTP_PORT variable that can be used to change the port of either container.

  • @James_1P Thanks for the additional insights. When do you think there will be additional deployment options available, even if in a beta state?

    I'm investigating the use of 1Password Connect for our team's infrastructure but have to do it within the constraints of our existing base infrastructure tooling such as Heroku.

  • James_1PJames_1P

    Team Member

    Hi penguinzed,

    We are evaluating options right now and don't have any timelines at the moment. I have added Heroku support to our list to investigate though.

  • If it helps I think the biggest limitation to run 1Password secrets automation right now in Heroku is that in Heroku disk storage is ephemeral and the 1Password services relay in a local sqlite database which is not a viable option with Heroku, aside from that I was able to create my own docker image with both the sync and api binaries inside and deployed it to Heroku without issues, the sqlite files were deleted automatically after a few hours, but the api was still working fine (Which I still dont understand why if the only way to access the secrets by the api service is by using the sqlite database?) but obviously this is not optimal.

    This could be a workaround bu I have not tried it yet https://devcenter.heroku.com/articles/active-storage-on-heroku

  • Ignore the workarounds part since that only apply to ruby on rails environments in heroku.

  • James_1PJames_1P

    Team Member

    Thanks for the details! I was not aware of the volume restrictions in Heroku

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file