Unable to get item from vault

Hi,

I have setup connect using the operator and created the necessary json file and token using these procedures documented here:
https://support.1password.com/secrets-automation/

I then created a OnePasswordItem resource that looks like this:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: test-password
spec:
itemPath: "vaults/k8s/items/test-password"

The Token has access to the k8s vault and inside the vault there is single item (of type password) named "test-password".

No kubernetes secret is created. When I look at the logs of connect-sync I see this error (that probably is the cause):

{"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 8s), Wrapped: (failed to NewAPI), Authentication: (failed to SigninWithCredentials), Wrapped: (failed to auth.LookupAuth), Network: (failed to request.DoUnencrypted), Get \"https://my.ent.1password.com/api/v2/auth/@1passwordserviceaccounts.com/A3//\": dial tcp: lookup my.ent.1password.com on 10.43.0.10:53: server misbehaving","timestamp":"2021-11-30T21:13:34.648984402Z","level":1}

When I curl the URL I get back:
{"reason":"deprecated"}

What could be wrong here?

Thanks, Thomas


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hey there!

    Thanks for reaching out and providing your error logs.

    Looking at the error message it seems like the K8s DNS cannot resolve the my.ent.1password.com domain. Do you have any special DNS configuration that could impact how your Pods talk to the internet?

  • thofmann
    thofmann
    Community Member

    I don't think that is the problem. I am getting back the {"reason":"deprecated"} json from the endpoint.

  • thofmann
    thofmann
    Community Member

    DNS config is default.

  • thofmann
    thofmann
    Community Member

    I will test DNS lookup from inside the container and let you know.

  • thofmann
    thofmann
    Community Member

    Thanks for your help. There are indeed DNS issues in the cluster.

  • thofmann
    thofmann
    Community Member

    Hi, it is working now that my DNS issues were resolved. One more question: Is it correct that every item in the vault will be synced to an individual secret in k8s or can I somehow create a secret which contains more than one item form the vault?

  • thofmann
    thofmann
    Community Member

    Nevermind my last question. I figured it out. Secure Note content for example will be completly copied to the secret in k8s.

  • Glad to hear you got it sorted out!

    As far as your earlier question:

    Is it correct that every item in the vault will be synced to an individual secret in k8s or can I somehow create a secret which contains more than one item form the vault?

    You can create a secret from a single item, and that item can have multiple fields. For example, the 1Password item has a "username", "password", and "host" field. The secret created by the operator would contain each field as a key in the K8s Secret's data field.

This discussion has been closed.