No k8s secret created. How to troubleshoot?
lynnturnt
Hello. Excited to get this working.
one connect pods are green. I've created my CRD for a OnePasswordItem. I've applied it. I see the CRD in the Object Explorer on GKE. However, my actual k8s secret never shows up. I guess I was expecting a log or message or error of some sort to tell me what to do next.
Here's my vault:
Here's my OnePasswordItem in the Object Explorer:
Here's my yaml for the OnePasswordItem above:
How do I troubleshoot? Is there a log file that tells me what I'm missing?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
Team Member
Hey!
I am glad to hear you are excited to get this to work. Speaking from my own experience, it's pretty magical when it works!
Let's try to get this sorted. First a quick check because it is not explicitly mentioned in the post: you are running the 1Password Operator? (either by manually deploying the manifest in that repo or through our Helm chart)
If that is indeed the case, could you share the logs of the
onepassword-connect-operatordeployment? (kubectl logs deployment/onepassword-connect-operatorprobably does the trick) That might contains some hints as to what is going on.Joris
Thanks for the quick reply. I did forget to mention that! Yes, installed the helm version as part of the install. I have a deployment called onepassword-connect. Inside are a couple of containers:
Both are running, green and have 0 restarts.
I restarted the pod for fresh logs. Heres the dump of both the connect-api and connect-sync logs
kubectl logs deployment/onepassword-connect -c connect-api
{"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:22.236128894Z","level":3} {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:23.236614561Z","level":3} {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-04-06T18:50:24.236855033Z","level":3} {"log_message":"(I) disabling bus peer auto-discovery","timestamp":"2022-04-06T18:50:25.239553647Z","level":3} {"log_message":"(I) connected to bus peer at localhost:11221","timestamp":"2022-04-06T18:50:25.240723716Z","level":3} {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-04-06T18:50:25.240907975Z","level":2} {"log_message":"(I) starting 1Password Connect API ...","timestamp":"2022-04-06T18:50:25.241138542Z","level":3} {"log_message":"(I) serving on :8080","timestamp":"2022-04-06T18:50:25.241166283Z","level":3} {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:50:45.43773031Z","level":3,"scope":{"request_id":"e6c700c3-c423-4206-aca9-4e0e0cd93ae0"}} {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:50:45.437842508Z","level":3,"scope":{"request_id":"e6c700c3-c423-4206-aca9-4e0e0cd93ae0"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:45.438321723Z","level":3,"scope":{"request_id":"a82dc20c-9476-4735-9214-0e7e520442b6"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:45.439036178Z","level":3,"scope":{"request_id":"a82dc20c-9476-4735-9214-0e7e520442b6"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:55.438054739Z","level":3,"scope":{"request_id":"47d2c541-27f3-4ebf-ac02-ae41391488d3"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:55.438544371Z","level":3,"scope":{"request_id":"47d2c541-27f3-4ebf-ac02-ae41391488d3"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:05.436730884Z","level":3,"scope":{"request_id":"b35c6dd6-3fac-4fbe-b30f-faa457dc2767"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:05.437051136Z","level":3,"scope":{"request_id":"b35c6dd6-3fac-4fbe-b30f-faa457dc2767"}}kubectl logs deployment/onepassword-connect -c connect-sync
{"log_message":"(I) disabling bus peer auto-discovery","timestamp":"2022-04-06T18:50:24.498800445Z","level":3} {"log_message":"(W) did not initialize bus connection to peer localhost:11220. If the peer is currently booting, it may initialize the connection while starting. Details: failed to transport.CreateConnection: [transport-websocket] failed to Dial endpoint: dial tcp 127.0.0.1:11220: connect: connection refused. ","timestamp":"2022-04-06T18:50:24.499900844Z","level":2} {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-04-06T18:50:24.500093453Z","level":2} {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-04-06T18:50:24.50029249Z","level":3} {"log_message":"(I) serving on :8081","timestamp":"2022-04-06T18:50:24.500338439Z","level":3} {"log_message":"(I) no existing database found, will initialize at /home/opuser/.op/data/1password.sqlite","timestamp":"2022-04-06T18:50:24.500860912Z","level":3} {"log_message":"(I) database initialization complete","timestamp":"2022-04-06T18:50:24.51662394Z","level":3} {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-04-06T18:50:24.517155596Z","level":3} {"log_message":"(I) established incoming bus peer connection","timestamp":"2022-04-06T18:50:25.240661368Z","level":3} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:45.437681412Z","level":3,"scope":{"request_id":"2bd63987-1095-49f4-a33c-eab03c649393"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:45.437907303Z","level":3,"scope":{"request_id":"2bd63987-1095-49f4-a33c-eab03c649393"}} {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:50:45.439826104Z","level":3,"scope":{"request_id":"d891ecac-a5da-478b-b915-3b62d9d66f91"}} {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:50:45.439874632Z","level":3,"scope":{"request_id":"d891ecac-a5da-478b-b915-3b62d9d66f91"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:50:55.43725771Z","level":3,"scope":{"request_id":"20a8c83a-5697-4264-9658-9f9745f024ac"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:50:55.437357602Z","level":3,"scope":{"request_id":"20a8c83a-5697-4264-9658-9f9745f024ac"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:05.436651689Z","level":3,"scope":{"request_id":"ee42e5c1-f3fe-43e9-9848-c104cb21bd8b"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:05.436719808Z","level":3,"scope":{"request_id":"ee42e5c1-f3fe-43e9-9848-c104cb21bd8b"}} {"log_message":"(I) GET /health","timestamp":"2022-04-06T18:51:15.437649723Z","level":3,"scope":{"request_id":"c658cc89-ce86-4251-bcc9-48be4b21678d"}} {"log_message":"(I) GET /health completed (200: OK)","timestamp":"2022-04-06T18:51:15.437709724Z","level":3,"scope":{"request_id":"c658cc89-ce86-4251-bcc9-48be4b21678d"}} {"log_message":"(I) GET /heartbeat","timestamp":"2022-04-06T18:51:15.43858387Z","level":3,"scope":{"request_id":"1f53dd9b-c866-4d6e-917e-b6af107a1b4d"}} {"log_message":"(I) GET /heartbeat completed (200: OK)","timestamp":"2022-04-06T18:51:15.438619475Z","level":3,"scope":{"request_id":"1f53dd9b-c866-4d6e-917e-b6af107a1b4d"}}Team Member
Thank you for clarifying that! I think I know what the issue could be.
The magic that automatically creates Kubernetes secrets is not included in the base setup of Connect. That requires running a separate operator that talks with the Kubernetes API.
Fortunately, that is all included in the Helm chart. So enabling it should be as simple as running the following Helm command:
The operator requires a Connect token (with read access to all vaults that it should create secrets for) to communicate with Connect. That can be stored in a k8s secret, like this:
If all goes well, you should end up with an extra
onepassword-connect-operatordeployment.Let me know if that helps.
Joris
Silly me. That did it. Yes, it's magical. Excellent help, thank you!
Team Member
You're welcome. Glad it works now. Enjoy the magic!