Using with Helm about connect-helm-charts HOT 8 CLOSED

Yes, it does, but you have to explicitly enable it:

operator:
  create: true
  serviceAccount:
    create: true
  roleBinding:
    create: true
  clusterRole:
    create: true

In the next release, we'll make it create the RBAC resources by default so you'll only have to add --set operator.create=true.

from connect-helm-charts.

1. Move the secrets from your values.yaml to a 1Password vault
2. Set up 1Password Secrets Automation for that vault
3. Use the Helm chart to deploy Connect+operator
4. For every secret you want to make available in your Kubernetes cluster, add a OnePasswordItem CRD where you specify which 1Password item should map to which Kubernetes Secret.

And all your deployment specs can stay the same if they were using Kubernetes Secrets already.

from connect-helm-charts.

@florisvdg thanks for the help.

I have completed steps 1, 2, 3.

ubuntu@kubectl:/tmp$ kubectl get pods
NAME                                   READY   STATUS             RESTARTS   AGE
onepassword-connect-57bcf96ff8-vzvt6   2/2     Running            0          6m8s

When trying to store the CRD though, I am getting the following error::

ubuntu@kubectl:/tmp$ kubectl create -f test-onepassword-secret.yaml
error: unable to recognize "test-onepassword-secret.yaml": no matches for kind "OnePasswordItem" in version "onepassword.com/v1"

The contents of test-onepassword-secret.yaml is:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: onepassword-api-env
spec:
  itemPath: vaults/Acme-Test/items/api-env

from connect-helm-charts.

@florisvdg found my problem, needed a few more flags when doing the Helm install:

helm install onepassword-connect 1password/connect --set-file connect.credentials=~/1password-credentials.json --set operator.create=true --set operator.token.value=<ONEPASSWORD_TOKEN>

I was able to store the secret using the above test-onepassword-secret.yaml, but arent I supposed to be able to see the secret when doing:

kubectl get secrets

I do see the onepassworditem CRD:

ubuntu@kubectl:/tmp$ kubectl describe onepassworditem onepassword-api-env
Name:         onepassword-api-env
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  onepassword.com/v1
Kind:         OnePasswordItem
Metadata:
  Creation Timestamp:  2021-04-20T22:45:33Z
  Generation:          1
  Managed Fields:
    API Version:  onepassword.com/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        .:
        f:itemPath:
    Manager:         kubectl-create
    Operation:       Update
    Time:            2021-04-20T22:45:33Z
  Resource Version:  58891898
  Self Link:         /apis/onepassword.com/v1/namespaces/default/onepassworditems/onepassword-api-env
  UID:               7ea1037f-039a-41f7-8c96-410696c0ce3b
Spec:
  Item Path:  vaults/Acme-Test/items/api-env
Events:       <none>

from connect-helm-charts.

@nodesocket When you set up using the helm chart did you create a cluster role, service account, and rolebinding for the operator?

from connect-helm-charts.

@jillianwilson thanks for the reply. Doesn't the official helm chart create the cluster role, service account, and role binding? If not, why not? Also, I must have missed that in the documentation. Can you point me to it?

from connect-helm-charts.

@florisvdg ok thanks. Any idea when the next release is due to come out with RBAC resources created by default?

Also, can I use Secure Notes in 1Password? Does the Kubernetes integration care what sort type in 1Password it is?

from connect-helm-charts.

v1.2.0 has just been released, but note: you do have to change the Helm repo URL to https://1password.github.io/connect-helm-charts to get the update.

And about the secure notes, the Kubernetes operator treats them like any other 1Password item. The Kubernetes Secret field where the note contents will get mapped to is notesPlain.

from connect-helm-charts.