Unable to get item from vault

Hi,

I have setup connect using the operator and created the necessary json file and token using these procedures documented here:
https://support.1password.com/secrets-automation/

I then created a OnePasswordItem resource that looks like this:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: test-password
spec:
itemPath: "vaults/k8s/items/test-password"

The Token has access to the k8s vault and inside the vault there is single item (of type password) named "test-password".

No kubernetes secret is created. When I look at the logs of connect-sync I see this error (that probably is the cause):

{"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 8s), Wrapped: (failed to NewAPI), Authentication: (failed to SigninWithCredentials), Wrapped: (failed to auth.LookupAuth), Network: (failed to request.DoUnencrypted), Get \"https://my.ent.1password.com/api/v2/auth/@1passwordserviceaccounts.com/A3//\": dial tcp: lookup my.ent.1password.com on 10.43.0.10:53: server misbehaving","timestamp":"2021-11-30T21:13:34.648984402Z","level":1}

When I curl the URL I get back:
{"reason":"deprecated"}

What could be wrong here?

Thanks, Thomas


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • David_agDavid_ag

    Team Member

    Hey there!

    Thanks for reaching out and providing your error logs.

    Looking at the error message it seems like the K8s DNS cannot resolve the my.ent.1password.com domain. Do you have any special DNS configuration that could impact how your Pods talk to the internet?

  • I don't think that is the problem. I am getting back the {"reason":"deprecated"} json from the endpoint.

  • DNS config is default.

  • I will test DNS lookup from inside the container and let you know.

  • Thanks for your help. There are indeed DNS issues in the cluster.

  • Hi, it is working now that my DNS issues were resolved. One more question: Is it correct that every item in the vault will be synced to an individual secret in k8s or can I somehow create a secret which contains more than one item form the vault?

  • Nevermind my last question. I figured it out. Secure Note content for example will be completly copied to the secret in k8s.

  • David_agDavid_ag

    Team Member

    Glad to hear you got it sorted out!

    As far as your earlier question:

    Is it correct that every item in the vault will be synced to an individual secret in k8s or can I somehow create a secret which contains more than one item form the vault?

    You can create a secret from a single item, and that item can have multiple fields. For example, the 1Password item has a "username", "password", and "host" field. The secret created by the operator would contain each field as a key in the K8s Secret's data field.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file