No k8s secret created. How to troubleshoot?
Hello. Excited to get this working.
one connect pods are green. I've created my CRD for a OnePasswordItem. I've applied it. I see the CRD in the Object Explorer on GKE. However, my actual k8s secret never shows up. I guess I was expecting a log or message or error of some sort to tell me what to do next.
Here's my vault:
Here's my OnePasswordItem in the Object Explorer:
Here's my yaml for the OnePasswordItem above:
How do I troubleshoot? Is there a log file that tells me what I'm missing?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Hey!
I am glad to hear you are excited to get this to work. Speaking from my own experience, it's pretty magical when it works!
Let's try to get this sorted. First a quick check because it is not explicitly mentioned in the post: you are running the 1Password Operator? (either by manually deploying the manifest in that repo or through our Helm chart)
If that is indeed the case, could you share the logs of the
onepassword-connect-operatordeployment? (kubectl logs deployment/onepassword-connect-operatorprobably does the trick) That might contains some hints as to what is going on.Joris
0 -
Thanks for the quick reply. I did forget to mention that! Yes, installed the helm version as part of the install. I have a deployment called onepassword-connect. Inside are a couple of containers:
- connect-api
- connect-sync
Both are running, green and have 0 restarts.
I restarted the pod for fresh logs. Heres the dump of both the connect-api and connect-sync logs
kubectl logs deployment/onepassword-connect -c connect-api
{"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:22.236128894Z","level":3} {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:23.236614561Z","level":3} {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:24.236855033Z","level":3} {"log_message":"(I) disabling bus peer auto-discovery","timestamp":"2022-04-06T18:50:25.239553647Z","level":3} {"log_message":"(I) connected to bus peer at localhost:11221","timestamp":"2022-04-06T18:50:25.240723716Z","level":3} {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-04-06T18:50:25.240907975Z","level":2} {"log_message":"(I) starting 1Password Connect API ...","timestamp":"2022-04-06T18:50:25.241138542Z","level":3} {"log_message":"(I) serving on :8080","timestamp":"2022-04-06T18:50:25.241166283Z","level":3} {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:50:45.43773031Z","level":3,"scope":{"request_id":"e6c700c3-c423-4206-aca9-4e0e0cd93ae0"}} {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:50:45.437842508Z","level":3,"scope":{"request_id":"e6c700c3-c423-4206-aca9-4e0e0cd93ae0"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:45.438321723Z","level":3,"scope":{"request_id":"a82dc20c-9476-4735-9214-0e7e520442b6"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:45.439036178Z","level":3,"scope":{"request_id":"a82dc20c-9476-4735-9214-0e7e520442b6"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:55.438054739Z","level":3,"scope":{"request_id":"47d2c541-27f3-4ebf-ac02-ae41391488d3"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:55.438544371Z","level":3,"scope":{"request_id":"47d2c541-27f3-4ebf-ac02-ae41391488d3"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:05.436730884Z","level":3,"scope":{"request_id":"b35c6dd6-3fac-4fbe-b30f-faa457dc2767"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:05.437051136Z","level":3,"scope":{"request_id":"b35c6dd6-3fac-4fbe-b30f-faa457dc2767"}}kubectl logs deployment/onepassword-connect -c connect-sync
{"log_message":"(I) disabling bus peer auto-discovery","timestamp":"2022-04-06T18:50:24.498800445Z","level":3} {"log_message":"(W) did not initialize bus connection to peer localhost:11220. If the peer is currently booting, it may initialize the connection while starting. Details: failed to transport.CreateConnection: [transport-websocket] failed to Dial endpoint: dial tcp 127.0.0.1:11220: connect: connection refused. ","timestamp":"2022-04-06T18:50:24.499900844Z","level":2} {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-04-06T18:50:24.500093453Z","level":2} {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-04-06T18:50:24.50029249Z","level":3} {"log_message":"(I) serving on :8081","timestamp":"2022-04-06T18:50:24.500338439Z","level":3} {"log_message":"(I) no existing database found, will initialize at /home/opuser/.op/data/1password.sqlite","timestamp":"2022-04-06T18:50:24.500860912Z","level":3} {"log_message":"(I) database initialization complete","timestamp":"2022-04-06T18:50:24.51662394Z","level":3} {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-04-06T18:50:24.517155596Z","level":3} {"log_message":"(I) established incoming bus peer connection","timestamp":"2022-04-06T18:50:25.240661368Z","level":3} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:45.437681412Z","level":3,"scope":{"request_id":"2bd63987-1095-49f4-a33c-eab03c649393"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:45.437907303Z","level":3,"scope":{"request_id":"2bd63987-1095-49f4-a33c-eab03c649393"}} {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:50:45.439826104Z","level":3,"scope":{"request_id":"d891ecac-a5da-478b-b915-3b62d9d66f91"}} {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:50:45.439874632Z","level":3,"scope":{"request_id":"d891ecac-a5da-478b-b915-3b62d9d66f91"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:55.43725771Z","level":3,"scope":{"request_id":"20a8c83a-5697-4264-9658-9f9745f024ac"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:55.437357602Z","level":3,"scope":{"request_id":"20a8c83a-5697-4264-9658-9f9745f024ac"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:05.436651689Z","level":3,"scope":{"request_id":"ee42e5c1-f3fe-43e9-9848-c104cb21bd8b"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:05.436719808Z","level":3,"scope":{"request_id":"ee42e5c1-f3fe-43e9-9848-c104cb21bd8b"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:15.437649723Z","level":3,"scope":{"request_id":"c658cc89-ce86-4251-bcc9-48be4b21678d"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:15.437709724Z","level":3,"scope":{"request_id":"c658cc89-ce86-4251-bcc9-48be4b21678d"}} {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:51:15.43858387Z","level":3,"scope":{"request_id":"1f53dd9b-c866-4d6e-917e-b6af107a1b4d"}} {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:51:15.438619475Z","level":3,"scope":{"request_id":"1f53dd9b-c866-4d6e-917e-b6af107a1b4d"}}0 -
Thank you for clarifying that! I think I know what the issue could be.
The magic that automatically creates Kubernetes secrets is not included in the base setup of Connect. That requires running a separate operator that talks with the Kubernetes API.
Fortunately, that is all included in the Helm chart. So enabling it should be as simple as running the following Helm command:
helm upgrade connect 1password/connect --reuse-values --set operator.create=true
The operator requires a Connect token (with read access to all vaults that it should create secrets for) to communicate with Connect. That can be stored in a k8s secret, like this:
kubectl create secret generic onepassword-token--from-literal=token=INSERT_TOKEN_HERE
If all goes well, you should end up with an extra
onepassword-connect-operatordeployment.Let me know if that helps.
Joris
0 -
Silly me. That did it. Yes, it's magical. Excellent help, thank you!
0 -
You're welcome. Glad it works now. Enjoy the magic!
0
