-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please replace "itemPath" with two parameters: "vault" and "item" #117
Comments
Hello! I've added your request to our internal tracker. I can't make promises about implementation, but I wanted to make sure you knew we've seen your suggestion. Thanks! |
It's possible to use replacement in kustomize since https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.1.3 to be able to change the vault id Here's a direct link to the replacement documentation https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/replacements/ I use a config map to store the vault id replacement-config.yaml
with the following replacement replacement.yaml
and add the following lines into the kustomization.yaml
|
Hey @rkr-kununu! 👋 Would the suggestion mentioned by @havard024 work for your case with Kustomize 4.1.3 or later? 🤔 |
Summary
The OnePasswordItem CRD "itemPath" and annotations "operator.1password.io/item-path" makes it difficult to create a consistent staging and production deployment, where the only variant is the vault that's used.
Consider separating this into two fields: "vault" and "item".
Use cases
If I have a production and a staging environment, I want to have them be nearly identical. However, I want them to use different credentials... in terms of 1Password, separating them into two different vaults ("staging", "prod") seem to be the most logical choice.
However, this means your
OnePasswordItem
need to have anitemPath
in the syntax ofvaults/<vault_id_or_title>/items/<item_id_or_title>
. Unfortunately, partial strings replacements with tools like Kustomize is not possible. It prefers the full text replacement of certain fields (for example using the ReplacementTransformer).Proposed solution
I would suggest altering
OnePasswordItem
to look like:...and the
Deployment
annotation could look like:One interesting side-effect of this decoupling, is that
vault:
oroperator.1password.io/item-vault
would be optional. It means that the Onepassword-Operator could be expanded to include a "default vault".So for my use case: My stored
OnePasswordItem
andoperator.1password.io/
annotations would include anitem:
oroperator.1password.io/item-item
, but when I deploy these configurations to staging, I'd merely set the "default vault" to bestaging
on my Onepassword-Operator. Then for production, I'd simply set the Onepassword-Operator's "default vault" toproduction
. It's a single change and trivial to maintain.Is there a workaround to accomplish this today?
The only option would be to use External Secrets in conjunction with staker/Reloader. Unfortunately, this comes at the expense of needing two different annotations (one for External Secrets and a second for Reloader).
References & Prior Work
See link above.
The text was updated successfully, but these errors were encountered: