Secrets injector not working - variable value is the op path
rommel
Community Member
Hi,
I am currently testing secrets injector with connect server by following this documentation. Both have been deployed in the k8s.
I tried deploying this demo app
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-app
spec:
selector:
matchLabels:
app: demo-app
template:
metadata:
annotations:
operator.1password.io/inject: demo-app
labels:
app: demo-app
spec:
containers:
- name: demo-app
image: busybox
ports:
- containerPort: 5000
command: ["sleep"]
args: ["3600"]
env:
- name: OP_CONNECT_HOST
value: 'http://onepassword-connect.onepassword.svc.cluster.local:8080'
- name: OP_CONNECT_TOKEN
valueFrom:
secretKeyRef:
key: token
name: connect-token
- name: TEST_ONEPASSWORD
value: op://my-vault/test_creds/password
connect logs
{"log_message":"(I) GET /v1/vaults","timestamp":"2024-02-22T11:51:56.978455348Z","level":3,"scope":{"request_id":"039a4d07-90ea-4161-a4a8-c9b814588e3d"}}
{"log_message":"(I) GET /v1/vaults completed (200: OK) in 12ms","timestamp":"2024-02-22T11:51:56.990803288Z","level":3,"scope":{"request_id":"039a4d07-90ea-4161-a4a8-c9b814588e3d"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items?filter=title+eq+%22test_creds%22","timestamp":"2024-02-22T11:51:56.992460837Z","level":3,"scope":{"request_id":"154b9a54-351d-4839-a84e-3f406c73f505"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items?filter=title+eq+%22test_creds%22 completed (200: OK) in 10ms","timestamp":"2024-02-22T11:51:57.00252325Z","level":3,"scope":{"request_id":"154b9a54-351d-4839-a84e-3f406c73f505"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items/5dlsknuwntvpokkkevuu475cpi","timestamp":"2024-02-22T11:51:57.003679559Z","level":3,"scope":{"request_id":"c11d761f-0781-4a44-8a5f-f40261fd693f"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items/5dlsknuwntvpokkkevuu475cpi completed (200: OK) in 8ms","timestamp":"2024-02-22T11:51:57.012355276Z","level":3,"scope":{"request_id":"c11d761f-0781-4a44-8a5f-f40261fd693f"}}
injector logs
I0222 11:51:55.401251 1 webhook.go:180] Checking if secret injection is needed for /v1, Kind=Pod at namespace default
I0222 11:51:55.401426 1 webhook.go:98] Pod at namespace default. Secret injection status: Secret Injection Enabled:true
I0222 11:51:55.401477 1 webhook.go:313] OP_SERVICE_ACCOUNT_TOKEN not provided
I0222 11:51:55.401485 1 webhook.go:345] OP CLI will be used with Connect
I0222 11:51:55.401545 1 webhook.go:287] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/volumeMounts","value":[{"name":"kube-api-access-tkfrs","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"},{"name":"op-bin","readOnly":true,"mountPath":"/op/bin/"}]},{"op":"replace","path":"/spec/containers/0/command","value":["/op/bin/op","run","--","sleep"]},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_NAME","value":"1Password Kubernetes Webhook"}},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_ID","value":"K8W"}},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_BUILDNUMBER","value":"1000101"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"op-bin","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/spec/initContainers","value":[{"name":"copy-op-bin","image":"1password/op:2","command":["sh","-c","cp /usr/local/bin/op /op/bin/"],"resources":{},"volumeMounts":[{"name":"op-bin","mountPath":"/op/bin/"}],"imagePullPolicy":"IfNotPresent"}]},{"op":"add","path":"/metadata/annotations","value":{"operator.1password.io/status":"injected"}}]
I0222 11:51:55.401571 1 webhook.go:481] Ready to write response ...
when i check the pod env
$ kubectl exec -it demo-app-78d6b574d7-bxcd4 -- /bin/sh Defaulted container "demo-app" out of: demo-app, copy-op-bin (init) / # / # env | grep TEST TEST_ONEPASSWORD=op://my-vault/test_creds/password
What could be the issue here?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
1
This discussion has been closed.