Merge branch '1Password:main' into feat/add-empty-value-field

1Password · Apr 20, 2023 · f428055 · f428055
2 parents 5733c70 + fe930fe
commit f428055
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 9 deletions.
diff --git a/config/connect/deployment.yaml b/config/connect/deployment.yaml
@@ -12,6 +12,8 @@ spec:
         app: onepassword-connect
         version: "1.0.0"
     spec:
+      securityContext:
+        runAsNonRoot: true
       volumes:
         - name: shared-data
           emptyDir: {}
@@ -32,6 +34,8 @@ spec:
       containers:
         - name: connect-api
           image: 1password/connect-api:latest
+          securityContext:
+            allowPrivilegeEscalation: false
           resources:
             limits:
               memory: "128Mi"
@@ -49,6 +53,8 @@ spec:
               name: shared-data
         - name: connect-sync
           image: 1password/connect-sync:latest
+          securityContext:
+            allowPrivilegeEscalation: false
           resources:
             limits:
               memory: "128Mi"

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -8,6 +8,8 @@ metadata:
 spec:
   template:
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
       - name: kube-rbac-proxy
         securityContext:

diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
@@ -6,6 +6,8 @@ metadata:
 spec:
   template:
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
       - name: manager
         args:

diff --git a/controllers/deployment_controller.go b/controllers/deployment_controller.go
@@ -95,12 +95,12 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		// This is so we can handle cleanup of associated secrets properly
 		if !utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {
 			deployment.ObjectMeta.Finalizers = append(deployment.ObjectMeta.Finalizers, finalizer)
-			if err := r.Update(context.Background(), deployment); err != nil {
+			if err = r.Update(context.Background(), deployment); err != nil {
 				return reconcile.Result{}, err
 			}
 		}
 		// Handles creation or updating secrets for deployment if needed
-		if err := r.handleApplyingDeployment(deployment, deployment.Namespace, annotations, req); err != nil {
+		if err = r.handleApplyingDeployment(deployment, deployment.Namespace, annotations, req); err != nil {
 			return ctrl.Result{}, err
 		}
 		return ctrl.Result{}, nil
@@ -110,10 +110,12 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	if utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {
 
 		secretName := annotations[op.NameAnnotation]
-		r.cleanupKubernetesSecretForDeployment(secretName, deployment)
+		if err = r.cleanupKubernetesSecretForDeployment(secretName, deployment); err != nil {
+			return ctrl.Result{}, err
+		}
 
 		// Remove the finalizer from the deployment so deletion of deployment can be completed
-		if err := r.removeOnePasswordFinalizerFromDeployment(deployment); err != nil {
+		if err = r.removeOnePasswordFinalizerFromDeployment(deployment); err != nil {
 			return reconcile.Result{}, err
 		}
 	}
@@ -144,7 +146,7 @@ func (r *DeploymentReconciler) cleanupKubernetesSecretForDeployment(secretName s
 
 	// Only delete the associated kubernetes secret if it is not being used by other deployments
 	if !multipleDeploymentsUsingSecret {
-		if err := r.Delete(context.Background(), kubernetesSecret); err != nil {
+		if err = r.Delete(context.Background(), kubernetesSecret); err != nil {
 			if !errors.IsNotFound(err) {
 				return err
 			}

diff --git a/controllers/onepassworditem_controller.go b/controllers/onepassworditem_controller.go
@@ -95,13 +95,13 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		// This is so we can handle cleanup of associated secrets properly
 		if !utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) {
 			onepassworditem.ObjectMeta.Finalizers = append(onepassworditem.ObjectMeta.Finalizers, finalizer)
-			if err := r.Update(context.Background(), onepassworditem); err != nil {
+			if err = r.Update(context.Background(), onepassworditem); err != nil {
 				return ctrl.Result{}, err
 			}
 		}
 
 		// Handles creation or updating secrets for deployment if needed
-		err := r.handleOnePasswordItem(onepassworditem, req)
+		err = r.handleOnePasswordItem(onepassworditem, req)
 		if updateStatusErr := r.updateStatus(onepassworditem, err); updateStatusErr != nil {
 			return ctrl.Result{}, fmt.Errorf("cannot update status: %s", updateStatusErr)
 		}
@@ -116,7 +116,7 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}
 
 		// Remove finalizer now that cleanup is complete
-		if err := r.removeFinalizer(onepassworditem); err != nil {
+		if err = r.removeFinalizer(onepassworditem); err != nil {
 			return ctrl.Result{}, err
 		}
 	}
@@ -143,7 +143,6 @@ func (r *OnePasswordItemReconciler) cleanupKubernetesSecret(onePasswordItem *one
 	kubernetesSecret.ObjectMeta.Name = onePasswordItem.Name
 	kubernetesSecret.ObjectMeta.Namespace = onePasswordItem.Namespace
 
-	r.Delete(context.Background(), kubernetesSecret)
 	if err := r.Delete(context.Background(), kubernetesSecret); err != nil {
 		if !errors.IsNotFound(err) {
 			return err