No k8s secret created. How to troubleshoot?

lynnturntlynnturnt
Community Member

Hello. Excited to get this working.

one connect pods are green. I've created my CRD for a OnePasswordItem. I've applied it. I see the CRD in the Object Explorer on GKE. However, my actual k8s secret never shows up. I guess I was expecting a log or message or error of some sort to tell me what to do next.

Here's my vault:

Here's my OnePasswordItem in the Object Explorer:

Here's my yaml for the OnePasswordItem above:

How do I troubleshoot? Is there a log file that tells me what I'm missing?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Joris_1PJoris_1P

    Team Member

    Hey!

    I am glad to hear you are excited to get this to work. Speaking from my own experience, it's pretty magical when it works!

    Let's try to get this sorted. First a quick check because it is not explicitly mentioned in the post: you are running the 1Password Operator? (either by manually deploying the manifest in that repo or through our Helm chart)

    If that is indeed the case, could you share the logs of the onepassword-connect-operator deployment? (kubectl logs deployment/onepassword-connect-operator probably does the trick) That might contains some hints as to what is going on.

    Joris

  • lynnturntlynnturnt
    Community Member
    edited April 7

    Thanks for the quick reply. I did forget to mention that! Yes, installed the helm version as part of the install. I have a deployment called onepassword-connect. Inside are a couple of containers:

    • connect-api
    • connect-sync

    Both are running, green and have 0 restarts.

    I restarted the pod for fresh logs. Heres the dump of both the connect-api and connect-sync logs

    kubectl logs deployment/onepassword-connect -c connect-api

    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:22.236128894Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:23.236614561Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:24.236855033Z","level":3}
    {"log_message":"(I) disabling bus peer auto-discovery","timestamp":"2022-04-06T18:50:25.239553647Z","level":3}
    {"log_message":"(I) connected to bus peer at localhost:11221","timestamp":"2022-04-06T18:50:25.240723716Z","level":3}
    {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-04-06T18:50:25.240907975Z","level":2}
    {"log_message":"(I) starting 1Password Connect API ...","timestamp":"2022-04-06T18:50:25.241138542Z","level":3}
    {"log_message":"(I) serving on :8080","timestamp":"2022-04-06T18:50:25.241166283Z","level":3}
    {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:50:45.43773031Z","level":3,"scope":{"request_id":"e6c700c3-c423-4206-aca9-4e0e0cd93ae0"}}
    {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:50:45.437842508Z","level":3,"scope":{"request_id":"e6c700c3-c423-4206-aca9-4e0e0cd93ae0"}}
    {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:45.438321723Z","level":3,"scope":{"request_id":"a82dc20c-9476-4735-9214-0e7e520442b6"}}
    {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:45.439036178Z","level":3,"scope":{"request_id":"a82dc20c-9476-4735-9214-0e7e520442b6"}}
    {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:55.438054739Z","level":3,"scope":{"request_id":"47d2c541-27f3-4ebf-ac02-ae41391488d3"}}
    {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:55.438544371Z","level":3,"scope":{"request_id":"47d2c541-27f3-4ebf-ac02-ae41391488d3"}}
    {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:05.436730884Z","level":3,"scope":{"request_id":"b35c6dd6-3fac-4fbe-b30f-faa457dc2767"}}
    {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:05.437051136Z","level":3,"scope":{"request_id":"b35c6dd6-3fac-4fbe-b30f-faa457dc2767"}}
    

    kubectl logs deployment/onepassword-connect -c connect-sync

    {"log_message":"(I) disabling bus peer auto-discovery","timestamp":"2022-04-06T18:50:24.498800445Z","level":3}
    {"log_message":"(W) did not initialize bus connection to peer localhost:11220. If the peer is currently booting, it may initialize the connection while starting. Details: failed to transport.CreateConnection: [transport-websocket] failed to Dial endpoint: dial tcp 127.0.0.1:11220: connect: connection refused. ","timestamp":"2022-04-06T18:50:24.499900844Z","level":2}
    {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-04-06T18:50:24.500093453Z","level":2}
    {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-04-06T18:50:24.50029249Z","level":3}
    {"log_message":"(I) serving on :8081","timestamp":"2022-04-06T18:50:24.500338439Z","level":3}
    {"log_message":"(I) no existing database found, will initialize at /home/opuser/.op/data/1password.sqlite","timestamp":"2022-04-06T18:50:24.500860912Z","level":3}
    {"log_message":"(I) database initialization complete","timestamp":"2022-04-06T18:50:24.51662394Z","level":3}
    {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-04-06T18:50:24.517155596Z","level":3}
    {"log_message":"(I) established incoming bus peer connection","timestamp":"2022-04-06T18:50:25.240661368Z","level":3}
    {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:45.437681412Z","level":3,"scope":{"request_id":"2bd63987-1095-49f4-a33c-eab03c649393"}}
    {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:45.437907303Z","level":3,"scope":{"request_id":"2bd63987-1095-49f4-a33c-eab03c649393"}}
    {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:50:45.439826104Z","level":3,"scope":{"request_id":"d891ecac-a5da-478b-b915-3b62d9d66f91"}}
    {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:50:45.439874632Z","level":3,"scope":{"request_id":"d891ecac-a5da-478b-b915-3b62d9d66f91"}}
    {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:55.43725771Z","level":3,"scope":{"request_id":"20a8c83a-5697-4264-9658-9f9745f024ac"}}
    {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:55.437357602Z","level":3,"scope":{"request_id":"20a8c83a-5697-4264-9658-9f9745f024ac"}}
    {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:05.436651689Z","level":3,"scope":{"request_id":"ee42e5c1-f3fe-43e9-9848-c104cb21bd8b"}}
    {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:05.436719808Z","level":3,"scope":{"request_id":"ee42e5c1-f3fe-43e9-9848-c104cb21bd8b"}}
    {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:15.437649723Z","level":3,"scope":{"request_id":"c658cc89-ce86-4251-bcc9-48be4b21678d"}}
    {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:15.437709724Z","level":3,"scope":{"request_id":"c658cc89-ce86-4251-bcc9-48be4b21678d"}}
    {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:51:15.43858387Z","level":3,"scope":{"request_id":"1f53dd9b-c866-4d6e-917e-b6af107a1b4d"}}
    {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:51:15.438619475Z","level":3,"scope":{"request_id":"1f53dd9b-c866-4d6e-917e-b6af107a1b4d"}}
    
  • Joris_1PJoris_1P

    Team Member

    Thank you for clarifying that! I think I know what the issue could be.

    The magic that automatically creates Kubernetes secrets is not included in the base setup of Connect. That requires running a separate operator that talks with the Kubernetes API.

    Fortunately, that is all included in the Helm chart. So enabling it should be as simple as running the following Helm command:

    helm upgrade connect 1password/connect --reuse-values --set operator.create=true    
    

    The operator requires a Connect token (with read access to all vaults that it should create secrets for) to communicate with Connect. That can be stored in a k8s secret, like this:

    kubectl create secret generic onepassword-token--from-literal=token=INSERT_TOKEN_HERE
    

    If all goes well, you should end up with an extra onepassword-connect-operator deployment.

    Let me know if that helps.

    Joris

  • lynnturntlynnturnt
    Community Member

    Silly me. That did it. Yes, it's magical. Excellent help, thank you!

  • Joris_1PJoris_1P

    Team Member

    You're welcome. Glad it works now. Enjoy the magic!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file