From e479d302f5258b6e27a96fd2df334521994abbb2 Mon Sep 17 00:00:00 2001 From: Jack Platten Date: Fri, 14 Jul 2023 13:47:00 -0700 Subject: [PATCH 1/3] Update readme --- README.md | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index edc9169..d8895d5 100644 --- a/README.md +++ b/README.md @@ -123,26 +123,31 @@ spec: -**Note:** Injected secrets are available *only* in the current pod's session. +To inject secrets, the container you're looking to inject into must have a `command` defined. The 1Password Secrets Injector works by mutating the `command` on init, and as such a command is needed to be mutated. If the deployments you're using are designed to have `command` specified in the deployment, then using the 1Password Kubernetes Operator may be a better fit. + +**Note:** Injected secrets are available *only* in the current pod's session. In other words, the secrets will only be accessible for the command listed in the container specification. To access it in any other session, for example using `kubectl exec`, it's necessary to prepend `op run --` to the command. + In the example above the `app-example1` container will have injected the `DB_USERNAME` and `DB_PASSWORD` values in the session executed by the command `npm start`. -If you want to access them in a new session (for example using `kubectl exec`) you should append `op run --` to the command executed in the container's new session. Another alternative to have the secrets available in all container's sessions is by using the [1Password Kubernetes Operator](https://github.com/1password/onepassword-operator). ## Setup and Deployment ### Prerequisites + - [docker installed](https://docs.docker.com/get-docker/) - [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/) If you want to use 1Password Connect: + - [Set up a Secrets Automation workflow](https://developer.1password.com/docs/connect/get-started#step-1-set-up-a-secrets-automation-workflow). - [Deploy 1Password Connect](https://developer.1password.com/docs/connect/get-started#step-2-deploy-1password-connect-server) in your Kubernetes infrastructure. Then, follow instructions to [use the Kubernetes Injector](#use-with-1password-connect). If you want to use 1Password Service Accounts: + - [Create a service account.](https://developer.1password.com//docs/service-accounts/) Then, follow instructions to [use the Kubernetes Injector with a service account](#use-with-1password-service-accounts). @@ -166,12 +171,13 @@ kubectl label namespace default secrets-injection=enabled ```shell make deploy ``` -**NOTE:** The injector creates the TLS certificate required for the webhook to work on the fly when deploying the injector (`deployment.yaml`). When the injector is removed from the cluster, it will delete the certificate. +**NOTE:** The injector creates the TLS certificate required for the webhook to work on the fly when deploying the injector (`deployment.yaml`). When the injector is removed from the cluster, it will delete the certificate. ### Step 4: Annotate your client pod or deployment with `inject` annotation Annotate your client pod or deployment spec with `operator.1password.io/inject`. It expects a comma separated list of the names of the containers that will be mutated and have secrets injected. + ```yaml # client-deployment.yaml annotations: @@ -190,7 +196,8 @@ env: ### Step 6: Provide 1Password CLI credentials on your pod or deployment -You can provide your pod or deployment with 1Password CLI credentials by [creating Kubernetes Secrets](#step-1-create-a-kubernetes-secret-containing-opconnecttoken) and referring to them in your deployment configuration. +Provide your pod or deployment with 1Password CLI credentials to perform the injection. One possibility to safely provide these secrets is to [create Kubernetes Secrets](#step-1-create-a-kubernetes-secret-containing-opconnecttoken) and referring to them in your deployment configuration. + ```yaml # your-app-pod/deployment.yaml env: @@ -208,23 +215,29 @@ env: ## Use with 1Password Service Accounts ### Step 1: Create a Kubernetes secret containing `OP_SERVICE_ACCOUNT_TOKEN` + ``` kubectl create secret generic op-service-account --from-literal=token=YOUR_OP_SERVICE_ACCOUNT_TOKEN ``` -### Step 2: Add the label `secrets-injection=enabled` label to the namespace: +### Step 2: Add the label `secrets-injection=enabled` label to the namespace + ``` kubectl label namespace default secrets-injection=enabled ``` ### Step 3: Deploy injector + ``` make deploy ``` + **NOTE:** The injector creates the TLS certificate required for the webhook to work on the fly when deploying the injector (`deployment.yaml`). When the injector is removed from the cluster, it will delete the certificate. ### Step 4: Annotate your client pod or deployment with `inject` annotation + Annotate your client pod or deployment spec with `operator.1password.io/inject`. It expects a comma separated list of the names of the containers that will be mutated and have secrets injected. + ```yaml # client-deployment.yaml annotations: @@ -232,7 +245,9 @@ annotations: ``` ### Step 5: Annotate your client pod or deployment with `version` annotation + Annotate your client pod or deployment with the latest version of the 1Password CLI (`2.18.0` or later). + ```yaml # client-deployment.yaml annotations: @@ -240,7 +255,9 @@ annotations: ``` ### Step 6: Configure the resource's environment + Add an environment variable to the resource with a value referencing your 1Password item. Use the following secret reference syntax: `op:///[/section]/`. + ```yaml # client-deployment.yaml env: @@ -250,7 +267,8 @@ env: ### Step 7: Provide 1Password CLI credentials on your pod or deployment -You can provide your pod or deployment with 1Password CLI credentials by [creating Kubernetes Secrets](#step-1-create-a-kubernetes-secret-containing-opserviceaccounttoken) and referring to them in your deployment configuration. +Provide your pod or deployment with 1Password CLI credentials to perform the injection. One possibility to safely provide these secrets is to [create Kubernetes Secrets](#step-1-create-a-kubernetes-secret-containing-opserviceaccounttoken) and referring to them in your deployment configuration. + ```yaml # client-deployment.yaml env: @@ -266,6 +284,7 @@ env: ## Troubleshooting If you can't inject secrets in your pod, make sure: + - The namespace of your pod has the `secrets-injection=enabled` label - The 1Password Secret Injector webhook is running (`secrets-injector` by default). - Your container has a `command` field specifying the command to run the app in your container From ece5b2a1aa6a7f182a99af17e35dc6c66d8353ef Mon Sep 17 00:00:00 2001 From: Jack Platten Date: Fri, 14 Jul 2023 13:49:18 -0700 Subject: [PATCH 2/3] Fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d8895d5..f2c5880 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ spec: -To inject secrets, the container you're looking to inject into must have a `command` defined. The 1Password Secrets Injector works by mutating the `command` on init, and as such a command is needed to be mutated. If the deployments you're using are designed to have `command` specified in the deployment, then using the 1Password Kubernetes Operator may be a better fit. +To inject secrets, the container you're looking to inject into must have a `command` defined. The 1Password Secrets Injector works by mutating the `command` on init, and as such a command is needed to be mutated. If the deployments you're using aren't designed to have `command` specified in the deployment, then using the 1Password Kubernetes Operator may be a better fit. **Note:** Injected secrets are available *only* in the current pod's session. In other words, the secrets will only be accessible for the command listed in the container specification. To access it in any other session, for example using `kubectl exec`, it's necessary to prepend `op run --` to the command. From bf462924811d78840e4a3a717b3ef8d90a048e49 Mon Sep 17 00:00:00 2001 From: Jack Platten Date: Fri, 14 Jul 2023 15:06:42 -0700 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Adam Pike --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f2c5880..c507201 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ spec: -To inject secrets, the container you're looking to inject into must have a `command` defined. The 1Password Secrets Injector works by mutating the `command` on init, and as such a command is needed to be mutated. If the deployments you're using aren't designed to have `command` specified in the deployment, then using the 1Password Kubernetes Operator may be a better fit. +To inject secrets, the Pod you're looking to inject into must have a `command` value defined in its [Deployment or Pod spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#container-v1-core). The 1Password Secrets Injector works by mutating the this value on initilization, and as such a command is needed to be mutated. If the deployments you're using aren't designed to have `command` specified in the deployment, then the 1Password Kubernetes Operator may be a better fit for your use case. **Note:** Injected secrets are available *only* in the current pod's session. In other words, the secrets will only be accessible for the command listed in the container specification. To access it in any other session, for example using `kubectl exec`, it's necessary to prepend `op run --` to the command. @@ -172,7 +172,7 @@ kubectl label namespace default secrets-injection=enabled make deploy ``` -**NOTE:** The injector creates the TLS certificate required for the webhook to work on the fly when deploying the injector (`deployment.yaml`). When the injector is removed from the cluster, it will delete the certificate. +**NOTE:** The injector creates the TLS certificate required for the webhook to work on the fly when deploying the injector ([`deployment.yaml`](/deploy/deployment.yaml)). When the injector is removed from the cluster, it will delete the certificate. ### Step 4: Annotate your client pod or deployment with `inject` annotation @@ -196,7 +196,7 @@ env: ### Step 6: Provide 1Password CLI credentials on your pod or deployment -Provide your pod or deployment with 1Password CLI credentials to perform the injection. One possibility to safely provide these secrets is to [create Kubernetes Secrets](#step-1-create-a-kubernetes-secret-containing-opconnecttoken) and referring to them in your deployment configuration. +Provide your Pod or Deployment with 1Password CLI credentials to perform the injection. One possibility to safely provide these credentials is to [create a Kubernetes Secret](#step-1-create-a-kubernetes-secret-containing-opconnecttoken) and refer to it in your deployment configuration. ```yaml # your-app-pod/deployment.yaml @@ -267,7 +267,7 @@ env: ### Step 7: Provide 1Password CLI credentials on your pod or deployment -Provide your pod or deployment with 1Password CLI credentials to perform the injection. One possibility to safely provide these secrets is to [create Kubernetes Secrets](#step-1-create-a-kubernetes-secret-containing-opserviceaccounttoken) and referring to them in your deployment configuration. +Provide your Pod or Deployment with 1Password CLI credentials to perform the injection. One possibility to safely provide these secrets is to [create a Kubernetes Secret](#step-1-create-a-kubernetes-secret-containing-opserviceaccounttoken) and refer to it in your deployment configuration. ```yaml # client-deployment.yaml