When can we expect secret automations integrations with CI ?

sssanjaya
sssanjaya
Community Member

I have attended webinar and you guys mentioned about integrating it to CI? when can we expect it to be released?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi sssanjaya,

    Unfortunately I do not have an explicit timeline to share with you on formal support for CI integrations, we don't commit to release dates to make sure we allow adequate time to develop and test a great solution.

    I can tell you that the team is actively working on this problem now. Is there a specific CI solution that you are looking to integrate with?

    James

  • sssanjaya
    sssanjaya
    Community Member

    Yes, I am trying to implement it in gitlab ci, very new to 1password, have setup connect and operator. Will try to implement it in helm charts.
    Please share me some helm chart which have 1password secret implementation? Thank you.

  • We don't have any examples at this time of using Secrets Automation in Gitlab CI.

    If you want to include 1Password secrets in your helm chart you will want to look at the operator documentation of the operator and have your helm chart generate custom resource definitions or using metadata annotations to create the necessary Kubernetes secrets.

  • sssanjaya
    sssanjaya
    Community Member

    thank you James! what you guys are building is awesome, 1password secrets automation is very promising and cannot wait to find solutions will share a blog how to if I can make it work.

  • Thanks sssanjaya! I look forward to hearing how you make out. I am just as excited to see what people outside 1Password do with Secrets Automation as I am for what the team here is building.

  • sssanjaya
    sssanjaya
    Community Member

    Sound fun and exciting! Getting hands dirty.

  • ag_ana
    ag_ana
    1Password Alumni

    Enjoy! :)

  • sssanjaya
    sssanjaya
    Community Member
    edited July 2021
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: onesecret
      namespace: qa
      annotations:
        operator.1password.io/auto-restart: "true"
        operator.1password.io/item-path: "vaults/qa/items"
        operator.1password.io/item-name: "env"
    

    1. data inside env doesnot get pulled into onesecret, how do I create secret, am i missing something?

    apiVersion: onepassword.com/v1
    kind: OnePasswordItem
    metadata:
      name: onesecret
      namespace: qa
    spec:
      itemPath: "vaults/qa/items/env"
    

    2. if i do like above, it creates secret with all data populated somewhere inside onepassword.com/v1/onepassworditems where I cannot access my secret data from my env helm chart.

  • Hey sssanjaya,

    You need to use the Custom Resource Definition shown in the Usage section of the K8s operator repository.

    Could you explain what you're trying to do when you say you can't read the secret from your Helm chart? Once I have a better idea of what you're trying to accomplish I'll be able to offer better advice.

  • sssanjaya
    sssanjaya
    Community Member

    @David_ag Hi David, thanks for your response. Could you please peek at this link

  • After looking at the GitLab issue I think what you need to do is:

    1. Confirm you are creating the secret via the deployment annotation
    2. Make sure you're setting an item_path and item_name annotation
    3. Refer to the secret using the item_name

    So your annotation would look like:

    annotations:
        operator.1password.io/auto-restart: "true"
        operator.1password.io/item-path: "vaults/qa/items/env"
        operator.1password.io/item-name: "nameOfMy1PSecret"
    

    and your container's env definition in the helm chart would need to be:

    env:
        - name: MY_SECRET_FROM_1P
          valueFrom:
            secretKeyRef:
              name: "nameOfMy1PSecret"
              key: <json key of the field you want from the 1password item>
    

    I can't comment about GitLab specifics, but it looks like they've got you on the right track.

  • sssanjaya
    sssanjaya
    Community Member

    Firstly, thank you.
    1. with deployment annotations, where does it store all the secrets?
    2. I tested and double checked item_path and item_name annotation is working with no typos. using flaskdiag-env as name here
    3. as item_name created by deployment is completely empty in my case.

    I have created onepassworditem manually with default namespace, which seems to be only config that pulls secrets data.
    also if I try to use different namespace then secrets data are all empty, why is that?

    apiVersion: onepassword.com/v1
    kind: OnePasswordItem
    metadata:
      name: flaskdiag-env
    spec:
      itemPath: "vaults/qa/items/flaskdiag-env"
    

    kubectl describte output:

    │ Name:         flaskdiag-env                                                                                                                                                                  │
    │ Namespace:    default                                                                                                                                                                        │
    │ Labels:       <none>                                                                                                                                                                         │
    │ Annotations:  operator.1password.io/item-path: vaults/kkx4he4ut7icvhsxezqi5szghm/items/jybjeaw6ed6uc65uq3uctdjgmm                                                                            │
    │               operator.1password.io/item-version: 23                                                                                                                                         │
    │                                                                                                                                                                                              │
    │ Type:  Opaque                                                                                                                                                                                │
    │                                                                                                                                                                                              │
    │ Data                                                                                                                                                                                         │
    │ ====                                                                                                                                                                                         │
    │ metadata:       46 bytes                                                                                                                                                                     │
    │ mySuperSecret:  17 bytes                                                                                                                                                                     │
    │ op-password:    100 bytes                                                                                                                                                                    │
    │ GREETING:       39 bytes                                                                                                                                                                     │
    │ annotations:    44 bytes                                                                                                                                                                     │
    │ flaskdiag-env:  8 bytes                                                                                                                                                                      │
    │ label:          6 bytes 
    

    and my deployment yaml have secret env config as:

    env:
    - name: flaskdiag-env
      valueFrom:
          secretKeyRef:
              name: flaskdiag-env
              key: GREETING
    

    checked linting and somehow spacing is messing up here when I paste.

    Error: secret "flaskdiag-env" not found
    

    also tried this config, no luck

            envFrom:
            - secretRef:
                name: flaskdiag-env
    

    I know we can watch another namespace,WATCH_NAMESPACE is enabled by default, doesn't it? assuming so, if I want to use default namespace, it doesnot throws same Error: secret "flaskdiag-env" not found

    and if you need anything more to understand the issue here, please do let me know?

  • Thanks for all the great information, I think I understand what you're trying to do.

    [...] if I try to use different namespace then secrets data are all empty, why is that?

    You can only access a secret from the namespace you created it in. So if you never specify a namespace, it's likely defaulting to default and that's why you can get the secret when you're in the default namespace. You must define the secret in each namespace if you want to grant multiple namespaces access to the secret. The operator will make sure the secret is the same across each namespace.

    The WATCH_NAMESPACE config registers the provided namespaces with the OnePassword operator. When the OnePassword operator learns one of the secret resources was updated in 1Password, it sends a signal to each deployment in the registered namespaces.

    Let me know if that helps! Thanks again for the detailed debugging information.

  • sssanjaya
    sssanjaya
    Community Member

    I mean if i define namespace like in shown yaml below, all data/secrets are empty, why is that?

    please ignore the spacings, it's messed up while copying and pasting.

    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: onesecret
      namespace: flaskdiag-27928923-qa
      annotations:
        operator.1password.io/auto-restart: "true"
        operator.1password.io/item-path: "vaults/qa/items/flaskdiag-env"
        operator.1password.io/item-name: "flaskdiag-env"
    

    kubectl describe output:

    kubectl describe secret onesecret -n flaskdiag-27928923-qa                                                
    Name:         onesecret
    Namespace:    flaskdiag-27928923-qa
    Labels:       <none>
    Annotations:  
                  operator.1password.io/auto-restart: true
                  operator.1password.io/item-name: flaskdiag-env
                  operator.1password.io/item-path: vaults/qa/items/flaskdiag-env
    
    Type:  Opaque
    
    Data
    ====
    

    in my case,here if I do not define namespace and left it empty or use default namespace, then only 1password secrets/data are populated. Is there any config that I might be missing, tried reinstalling 1password connect/operator for 3rd time today, no luck.
    Using below command to config 1password connect helm operator:

    helm upgrade -i connect 1password/connect --set-file connect.credentials=1password-credentials.json --set operator.create=true
    
  • Sorry to hear you're still having issues! I believe I have a solution, though:

    It looks like you're telling K8s to create a secret (kind: Secret) -- with the 1Password Operator you don't need to define the secret because the operator will create the secret for you.

    Instead, you should be able to do:

    apiVersion: onepassword.com/v1
    kind: OnePasswordItem
    metadata:
      name: onesecret #this name will also be used for naming the generated kubernetes secret
      namespace: flaskdiag-27928923-qa
      spec:
        item-path: "vaults/qa/items/flaskdiag-env"
      annotations:
        operator.1password.io/auto-restart: "true"
    

    Once deployed, the operator will create a secret named onesecret in your flask-diag namespace.

    You can see this in practice in our tests for the Connect helm charts:

    Setting up the OnePassword resource: setup-secret-read.yml
    Reading the resource as a secret: secret-read.yml

    I'll see what I can do about updating the documentation to highlight this. Thanks again for your patience, we appreciate you raising the issue!

This discussion has been closed.