1Password/onepassword-operator 1Password/onepassword-operator

  • Stars
    star
    531
  • Rank 83,526 (Top 2 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 4 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
1Password/onepassword-operator
github

1Password

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes Secrets with 1Password. The operator also handles autorestarting deployments when 1Password items are updated.

1Password Connect Kubernetes Operator

The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes with 1Password. This Operator manages OnePasswordItem Custom Resource Definitions (CRDs) that define the location of an Item stored in 1Password. The OnePasswordItem CRD, when created, will be used to compose a Kubernetes Secret containing the contents of the specified item.

The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Path on a deployment.

The 1Password Connect Kubernetes Operator will continually check for updates from 1Password for any Kubernetes Secret that it has generated. If a Kubernetes Secret is updated, any Deployment using that secret can be automatically restarted.

Prerequisites

Quickstart for Deploying 1Password Connect to Kubernetes

If 1Password Connect is already running, you can skip this step.

There are options to deploy 1Password Connect:

Deploy with Helm

The 1Password Connect Helm Chart helps to simplify the deployment of 1Password Connect and the 1Password Connect Kubernetes Operator to Kubernetes.

The 1Password Connect Helm Chart can be found here.

Deploy using the Connect Operator

This guide will provide a quickstart option for deploying a default configuration of 1Password Connect via starting the deploying the 1Password Connect Operator, however it is recommended that you instead deploy your own manifest file if customization of the 1Password Connect deployment is desired.

Encode the 1password-credentials.json file you generated in the prerequisite steps and save it to a file named op-session:

cat 1password-credentials.json | base64 | \
  tr '/+' '_-' | tr -d '=' | tr -d '\n' > op-session

Create a Kubernetes secret from the op-session file:

kubectl create secret generic op-credentials --from-file=op-session

Add the following environment variable to the onepassword-connect-operator container in /config/manager/manager.yaml:

- name: MANAGE_CONNECT
  value: "true"

Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the current namespace.

Kubernetes Operator Deployment

Create Kubernetes Secret for OP_CONNECT_TOKEN

"Create a Connect token for the operator and save it as a Kubernetes Secret:

kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"

If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:

kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)

Deploying the Operator

An sample Deployment yaml can be found at /config/manager/manager.yaml.

To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:

  • OP_CONNECT_HOST (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
  • WATCH_NAMESPACE: (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
  • POLLING_INTERVAL (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
  • MANAGE_CONNECT (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the current namespace.
  • AUTO_RESTART (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the "Configuring Automatic Rolling Restarts of Deployments" section.

To deploy the operator, simply run the following command:

make deploy

Undeploy Operator

make undeploy

Usage

To create a Kubernetes Secret from a 1Password item, create a yaml file with the following

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: <item_name> #this name will also be used for naming the generated kubernetes secret
spec:
  itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>"

Deploy the OnePasswordItem to Kubernetes:

kubectl apply -f <your_item>.yaml

To test that the Kubernetes Secret check that the following command returns a secret:

kubectl get secret <secret_name>

Note: Deleting the OnePasswordItem that you've created will automatically delete the created Kubernetes Secret.

To create a single Kubernetes Secret for a deployment, add the following annotations to the deployment metadata:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-example
  annotations:
    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
    operator.1password.io/item-name: "<secret_name>"

Applying this yaml file will create a Kubernetes Secret with the name <secret_name> and contents from the location specified at the specified Item Path.

The contents of the Kubernetes secret will be key-value pairs in which the keys are the fields of the 1Password item and the values are the corresponding values stored in 1Password. In case of fields that store files, the file's contents will be used as the value.

Within an item, if both a field storing a file and a field of another type have the same name, the file field will be ignored and the other field will take precedence.

Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with operator.1password.io/item-path and operator.1password.io/item-name and no other deployment is using the secret.

If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag operator.1password.io:ignore-secret to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.

NOTE

If multiple 1Password vaults/items have the same title when using a title in the access path, the desired action will be performed on the oldest vault/item.

Titles and field names that include white space and other characters that are not a valid DNS subdomain name will create Kubernetes secrets that have titles and fields in the following format:

  • Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
  • All whitespaces between words will be replaced by -
  • All the letters will be lower-cased.

Configuring Automatic Rolling Restarts of Deployments

If a 1Password Item that is linked to a Kubernetes Secret is updated, any deployments configured to auto-restart AND are using that secret will be given a rolling restart the next time 1Password Connect is polled for updates.

There are many levels of granularity on which to configure auto restarts on deployments: at the operator level, per-namespace, or per-deployment.

On the operator: This method allows for managing auto restarts on all deployments within the namespaces watched by operator. Auto restarts can be enabled by setting the environemnt variable AUTO_RESTART to true. If the value is not set, the operator will default this value to false.

Per Namespace: This method allows for managing auto restarts on all deployments within a namespace. Auto restarts can by managed by setting the annotation operator.1password.io/auto-restart to either true or false on the desired namespace. An example of this is shown below:

# enabled auto restarts for all deployments within a namespace unless overwritten within a deployment
apiVersion: v1
kind: Namespace
metadata:
  name: "example-namespace"
  annotations:
    operator.1password.io/auto-restart: "true"

If the value is not set, the auto restart settings on the operator will be used. This value can be overwritten by deployment.

Per Deployment This method allows for managing auto restarts on a given deployment. Auto restarts can by managed by setting the annotation operator.1password.io/auto-restart to either true or false on the desired deployment. An example of this is shown below:

# enabled auto restarts for the deployment
apiVersion: v1
kind: Deployment
metadata:
  name: "example-deployment"
  annotations:
    operator.1password.io/auto-restart: "true"

If the value is not set, the auto restart settings on the namespace will be used.

Per OnePasswordItem Custom Resource This method allows for managing auto restarts on a given OnePasswordItem custom resource. Auto restarts can by managed by setting the annotation operator.1password.io/auto_restart to either true or false on the desired OnePasswordItem. An example of this is shown below:

# enabled auto restarts for the OnePasswordItem
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: example
  annotations:
    operator.1password.io/auto-restart: "true"

If the value is not set, the auto restart settings on the deployment will be used.

Development

How it works

This project aims to follow the Kubernetes Operator pattern

It uses Controllers which provides a reconcile function responsible for synchronizing resources untile the desired state is reached on the cluster

Test It Out

  1. Install the CRDs into the cluster:
make install
  1. Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
make run

NOTE: You can also run this in one step by running: make install run

Modifying the API definitions

If you are editing the API definitions, generate the manifests such as CRs or CRDs using:

make manifests

NOTE: Run make --help for more information on all potential make targets

More information can be found via the Kubebuilder Documentation

Security

1Password requests you practice responsible disclosure if you discover a vulnerability.

Please file requests via BugCrowd.

For information about security practices, please visit our Security homepage.

More Repositories

1

typeshare

Typeshare is the ultimate tool for synchronizing your type definitions between Rust and other languages for seamless FFI.
Rust
2,393
star
2

1password-teams-open-source

Get a free 1Password Teams membership for your open source project
1,562
star
3

arboard

A clipboard for Rust
Rust
640
star
4

shell-plugins

Seamless authentication for every tool in your terminal.
Go
519
star
5

electron-hardener

A fast and small Rust library to make Electron apps more secure.
Rust
380
star
6

srp

A set of Go functions for Secure Remote Password protocol implementation in 1Password Teams
Go
348
star
7

terraform-provider-onepassword

Use the 1Password Terraform Provider to reference, create, or update items in your 1Password Vaults.
Go
323
star
8

op-vscode

1Password for VS Code
TypeScript
211
star
9

spg

1Password's Strong Password Generator - Go package
Go
202
star
10

connect-sdk-python

Python SDK for 1Password Connect
Python
200
star
11

vault-plugin-secrets-onepassword

Hashicorp Vault plugin integrates with 1Password Connect to allow for the retrieval, creation, and deletion of items stored in 1Password.
Go
193
star
12

load-secrets-action

Load secrets from 1Password into your GitHub Actions jobs
TypeScript
183
star
13

connect-sdk-go

Go SDK for 1Password Connect
Go
159
star
14

connect

Access your 1Password secrets using a 1Password Connect Server
149
star
15

scim-examples

1Password SCIM Bridge deployment examples
HCL
147
star
16

connect-sdk-js

Node SDK for 1Password Connect
TypeScript
143
star
17

passkey-rs

A framework for defining Webauthn Authenticators that support passkeys
Rust
122
star
18

ansible-onepasswordconnect-collection

The 1Password Connect collection contains modules that interact with your 1Password Connect deployment. The modules communicate with the 1Password Connect API to support Vault Item create/read/update/delete operations.
Python
112
star
19

op-js

A JS library powered by the 1Password CLI
TypeScript
92
star
20

solutions

Examples and templates from the 1Password Solutions team
Python
78
star
21

connect-helm-charts

Official 1Password Helm Charts
Smarty
76
star
22

electron-secure-defaults

Starter kit and documentation for building security conscious Electron apps
TypeScript
74
star
23

typeshare-old

Generate code in different languages from Rust type definitions for FFI interop.
Rust
70
star
24

password-rules-parser

Rust parser for the passwordrules attribute
Rust
68
star
25

sys-locale

A small and lightweight Rust library to obtain the active locale on the system.
Rust
66
star
26

burp-1password-session-analyzer

Burp plugin for the 1Password session protocol for use by security researchers. https://bugcrowd.com/agilebits
Java
51
star
27

kubernetes-secrets-injector

Go
49
star
28

check-signed-commits-action

GitHub Action to check PRs for signed commits
41
star
29

homebrew-tap

Homebrew tap to install 1Password products.
Ruby
37
star
30

install-cli-action

Install 1Password CLI into your GitHub Actions jobs.
Shell
31
star
31

op-scim-helm

Helm charts for the op-scim applications
Smarty
22
star
32

pulumi-onepassword

Pulumi provider for 1Password.
Python
16
star
33

developer-community-projects

Go
15
star
34

op-scim-gcp-marketplace

Makefile
14
star
35

events-api-elastic

Go
12
star
36

events-api-generic

Go
12
star
37

markdown-benchmarks

Benchmarking markdown libraries
C
11
star
38

events-api-splunk

Go
7
star
39

dep-report

Go
7
star
40

postman-integration-secrets-edu-ut-edition

JavaScript
7
star
41

terraform-provider-onepassword-secrets-edu-ut-edition

Go
7
star
42

ring

Fork of https://github.com/briansmith/ring
Assembly
5
star
43

secrets-orb

Shell
5
star
44

blog-ci-docker

Dockerfile for 1password/blog-ci container. Based on https://github.com/felicianotech/docker-hugo
5
star
45

onepassword-sdk-go

Go
5
star
46

onepassword-sdk-js

The official JavaScript SDK for 1Password
JavaScript
5
star
47

publicsuffix-benchmarks

Testing performance of the public suffix list libraries (https://publicsuffix.org)
Rust
4
star
48

extension-messaging

TypeScript
4
star
49

onepassword-sdk-python

Python
3
star
50

go-directequality-checker

Go
2
star
51

docusaurus-extensions

TypeScript
2
star
52

ppa

TeX
1
star