Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support mounting multiple secrets together #59

Open
villesau opened this issue Aug 12, 2021 · 5 comments
Open

Support mounting multiple secrets together #59

villesau opened this issue Aug 12, 2021 · 5 comments
Labels
tracked Issue is tracked in 1Password's internal ticketing system as well.

Comments

@villesau
Copy link

villesau commented Aug 12, 2021
edited
Loading

Summary

Would be useful to be able to mount multiple secrets in single secret.

Use cases

Kubernetes supports following:

Secret definition:

apiVersion: v1
kind: Secret
metadata:
  name: my-secrets
type: Opaque
data:
  SECRET_1: "base64"
  SECRET_2: "base64"

which is mounted liket this:

          envFrom:
            - secretRef:
                name: my-secrets

This results in SECRET_1 & SECRET_2 being accessible via env variables inside the container.

However, to my understanding 1pw operator can currently carry only 1 field in my-secrets so this is not possible.

Proposed solution

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name will also be used for naming the generated kubernetes secret
spec:
  SECRET_1: "vaults/vault/items/secret-1"
  SECRET_2: "vaults/vault/items/secret-2"

Alternatively would be nice if 1password had a native support key-value pair type secrets built in.

Is there a workaround to accomplish this today?

Mount every secret individually. This increases boilerplate and reduces readability.
E: Seems that there's a way to mount multiple secrets with one file: #60 However, there is still no way to add multiple key / value pairs per secret.
@jillianwilson
Copy link
Contributor

jillianwilson commented Aug 17, 2021
edited
Loading

Hi there,

The 1Password operator actually can place multiple fields in a secret. When you create a secret using

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name will also be used for naming the generated kubernetes secret
spec:
  SECRET_1: "vaults/vault/items/secret-1"

each field in the 1Password item will become a field in the data of the kubernetes secret. For example if you have a username and password stored in secret-1 in 1Password. This will translate to the following:

apiVersion: v1
kind: Secret
metadata:
  name: secret-1
type: Opaque
data:
  username: "base64"
  password: "base64"

Is this an acceptable solution for you or is it necessary for you to be able to place multiple 1Password items (and their fields) within a secret?

@villesau
Copy link
Author

@jillianwilson what happens to testing-secrets and SECRET_1? And where the secret-1 comes from? An example in the documentation would probably help to understand this!

@lhriley lhriley mentioned this issue Sep 15, 2021
Open
@lhriley
Copy link

lhriley commented Sep 15, 2021

@jillianwilson I'm not sure that this is a valid example:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name will also be used for naming the generated kubernetes secret
spec:
  SECRET_1: "vaults/vault/items/secret-1"

When I specify any key other than itemPath I get a validation error. With this in mind, the following example would definitely not work:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name will also be used for naming the generated kubernetes secret
spec:
  SECRET_1: "vaults/vault/items/secret-1"
  SECRET_2: "vaults/vault/items/secret-2"

@edif2008 edif2008 added the tracked Issue is tracked in 1Password's internal ticketing system as well. label May 31, 2022
@jillianwilson
Copy link
Contributor

Hi again,

Apologies, as it appears there was a typo in my last reply.

What I meant to explain was that by linking one 1Password item to a Kubernetes secret, then all the item's fields will be available in the associated Kubernetes Secret, thus multiple secrets (for example a username, and password on a login item) can be represented in one Kubernetes Secret. If you are looking to link multiple 1Password Items to a kubernetes secret, this is not currently possible, but hopefully the above solution is suitable.

Amended example:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: testing-secrets #this name can be anything, but will created a kubernetes secret with the same name
spec:
  itemPath: "vaults/<vault-id>/items/<item-id>"```

@azhurbilo
Copy link

If you are looking to link multiple 1Password Items to a kubernetes secret, this is not currently possible, but hopefully the above solution is suitable

as workaround it could be ok: like 1 app in k8s == 1 secret item in 1password with multiple password fields

but in this case we have a problem that if different apps in k8s use the same password we need duplicate it (copy/paste) in different 1password secrets

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tracked Issue is tracked in 1Password's internal ticketing system as well.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@villesau @lhriley @azhurbilo @edif2008 @jillianwilson