Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for stringData in Opaque secrets #127

Open
rooso opened this issue Sep 22, 2022 · 6 comments
Open

Support for stringData in Opaque secrets #127

rooso opened this issue Sep 22, 2022 · 6 comments

Comments

@rooso
Copy link

rooso commented Sep 22, 2022

Summary

For some usecases I'll need a Kubernetes Sercret from type Opaque with data in stringData and not in data. See also https://kubernetes.io/docs/concepts/configuration/secret/#restriction-names-data. That is a native Kubernetes use case which would be great, to have it in combination with 1Password Operator.

Use cases

Allow to store secret values that are not base64 encoded in stringData for applications that need unencrypted values in a Kubernetes Secret.

Proposed solution

Adding option to specify if Opaque secret will store the values in data or stringData.

Following OnePasswordItem ...

apiVersion: onepassword.com/v1
kind: OnePasswordItem
type: Opaque/stringData
metadata:
  name: private-repo-creds
spec:
  itemPath: vaults/mysecretvault/items/private-repo-creds

... should create a Kubernetes Secret like this:

apiVersion: v1
kind: Secret
metadata:
	name: private-repo-creds
	namespace: demo
stringData:
	type: git
	url: [email protected]:kubernetes/application
	sshPrivateKey: |
		-----BEGIN PRIVATE KEY-----
		... wait for 1Password support for stringData in secrets
		-----END PRIVATE KEY-----

Is there a workaround to accomplish this today?

If the application supports it, you can decode the base64 encoded value before use. In my case, that's not possible.

@rooso
Copy link
Author

rooso commented Oct 20, 2022

Discovered a new kubernetes application deployment that needs secrets with stringData. ArgoCD and Pinniped are two of them.

@rooso rooso closed this as not planned Won't fix, can't repro, duplicate, stale Oct 21, 2022
@edif2008 edif2008 reopened this May 23, 2023
@richardnabu
Copy link

richardnabu commented Jun 26, 2023

+1 SeldonCore needs this - Seldon docs here

@zach-broadway-nauto
Copy link

zach-broadway-nauto commented Jul 24, 2023

+1 I would say that the ArgoCD use case is a VERY valid reason to plan this work. Many companies are adopting ArgoCD for GitOps workflows.

Please see the github ssh secret example from the ArgoCD Docs

@brizzbuzz
Copy link

Tailscale operator also needs this 🙏

@fdaligand
Copy link

fdaligand commented Dec 7, 2023

Hi there,

I just deploy the following OnePasswordItem for my argocd deployement and it work well.

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: cluster-managment-https-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
spec:
  itemPath: "vaults/${env}/items/cluster-managment-https-repo"

and the secret generated is as follow:

 Name:         cluster-managment-https-repo                                                                                                                                                                      │
│ Namespace:    argocd                                                                                                                                                                                            │
│ Labels:       argocd.argoproj.io/secret-type=repository                                                                                                                                                         │
│ Annotations:  operator.1password.io/item-path: vaults/***/items/***                                                                                               │
│               operator.1password.io/item-version: 1                                                                                                                                                             │
│                                                                                                                                                                                                                 │
│ Type:  Opaque                                                                                                                                                                                                   │
│                                                                                                                                                                                                                 │
│ Data                                                                                                                                                                                                            │
│ ====                                                                                                                                                                                                            │
│ username:  25 bytes                                                                                                                                                                                             │
│ password:  12 bytes                                                                                                                                                                                             │
│ type:      3 bytes                                                                                                                                                                                              │
│ url:       51 bytes    

Argocd doesn't care if your secret is of type data or stringdata.
I hope it will help.

@matthijsvdr
Copy link

I just spend way to much time trying to find out why cert-manager gave errors contacting the cloudflare api. It is because the 1password secret was not (and cant) be defined as stringData.

Does not work

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: cloudflare-api-token
  namespace: cert-manager
spec:
  itemPath: "vaults/my-vault/items/cloudflare-api"

Works

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token
  namespace: cert-manager
type: Opaque
stringData:
  api-token: secret-token-here

Now I just have to make sure to not commit the secret 🫠

Would be great for this to be added to 1password somehow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants