Comments (9)
@jillianwilson I'm not 100% sure but I think this is the culprit: https://github.com/1Password/onepassword-operator/blob/b574e394ad649d2cbf6f61192f00a1918cef8df3/pkg/onepassword/secret_update_handler.go#L164
If the namespaces are given explicitly, there shouldn't be a need to list all of them, right?
from connect-helm-charts.
The deployment example included in the 1Password/onepassword-operator
repository uses ClusterRoleBindings instead which may work around the issue when the operator attempts to list all namespaces:
from connect-helm-charts.
I'm seeing this even with namespaced secrets and it prevents from updating secrets at all. Not sure why the namespaces needs listing when updating a secret in 1pw? In our setups we've given permission to two namespaces, in which the other is the operator namespace and set autoUpdate to true. Would be good if the operator could live without ClusterRoleBinding when the namespaces are defined.
I suspect that this is actually an issue with the operator and not with the helm chart since the operator should not need to list the namespaces if explicit list of them is given.
from connect-helm-charts.
Hi there, thank you for bringing this issue to our attention, we are currently investigating.
from connect-helm-charts.
@villesau I originally suspected that as well, but after some investigation I was also running into issues with listing deployments and secrets which can not be avoided. I'm now thinking this might be more of a configuration issue with permissions in the helm chart itself.
from connect-helm-charts.
Could we change those list operations to list the deployments and secrets in the watched namespaces specifically? We could then add a list permission for deployments so the operator is allowed to list deployments within the watched namespaces via the role binding.
from connect-helm-charts.
Hit this one a couple of EKS clusters. OnePassword is configured with watchNamespace
parameters which stops it from applying the ClusterRoleBinding, therefore it doesn't have the permissions it needs to retrieve the list of namespaces when it is looking for an updated list. To fix this, we call the chart from Helm and have a local ClusterRoleBinding file that applies it arbitrarily. I might be missing some nuance, here, but now it works as expected.
from connect-helm-charts.
I, too, have watchNamespace
set to watch some namespaces so that description would match to my case as well.
from connect-helm-charts.
Any updates on this issue?
from connect-helm-charts.
Related Issues (20)
- Secret injector deployment incorrectly marked as hook
- Proxy Support or custom env HOT 4
- Chart repo down HOT 3
- Wrong Log severity in GKE & Google Cloud Logs
- Volume "credentials" doesn't seem to be used in the connect deployment
- Chart is broken and unusable HOT 2
- Add ability to install custom CA certificates in the Operator HOT 1
- Please add an extravolumes and extravolumeMounts into connect deployment
- helm uninstall does not remove deployment HOT 2
- failed calling webhook "secrets-injector.1password.com" HOT 1
- Add priorityClassName for the deployments HOT 1
- Ingress resource is not created HOT 7
- connect enable: false is not working
- Secrets Injector failing to create with error 'serviceaccount "secrets-injector" not found' HOT 1
- Contribution HOT 1
- Connect Health Check always fails on the first run
- 1Password Connect not using onepassword-connect-operator Service Account
- Pod Security Admission warnings
- Connect exposed as NodePort service by default
- Ability to add additional labels to the connect serviceMonitor
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from connect-helm-charts.