|
5 | 5 |
|
6 | 6 | ## Table of Contents |
7 | 7 |
|
| 8 | +- [Configuration Options](#configuration-options) |
8 | 9 | - [Prerequisites](#prerequisites) |
9 | 10 | - [Deploying 1Password Connect to Kubernetes](#deploying-1password-connect-to-kubernetes) |
10 | | -- [Kubernetes Operator Deployment](#kubernetes-operator-deployment) |
| 11 | +- [Kubernetes Operator Deployment With Connect](#kubernetes-operator-deployment-with-connect) |
| 12 | +- [Kubernetes Operator Deployment With Service Account](#kubernetes-operator-deployment-with-service-account) |
11 | 13 | - [Usage](#usage) |
12 | 14 | - [Configuring Automatic Rolling Restarts of Deployments](#configuring-automatic-rolling-restarts-of-deployments) |
13 | 15 | - [Development](#development) |
|
19 | 21 | - [`docker` installed](https://docs.docker.com/get-docker/) |
20 | 22 | - [A `1password-credentials.json` file generated and a 1Password Connect API Token issued for the K8s Operator integration](https://developer.1password.com/docs/connect/get-started/#step-1-set-up-a-secrets-automation-workflow) |
21 | 23 |
|
| 24 | +## Configuration options |
| 25 | +There are 2 ways 1Password Operator can talk to 1Password servers: |
| 26 | +- **Connect**: It uses the 1Password Connect API to access items in 1Password. |
| 27 | +- **Service Account**: It uses [1Password SDK](https://developer.1password.com/docs/sdks/) and [Service Account](https://developer.1password.com/docs/service-accounts) to access items in 1Password. |
| 28 | + |
22 | 29 | ## Deploying 1Password Connect to Kubernetes |
23 | 30 |
|
24 | 31 | If 1Password Connect is already running, you can skip this step. |
@@ -60,7 +67,7 @@ Add the following environment variable to the onepassword-connect-operator conta |
60 | 67 |
|
61 | 68 | Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the current namespace. |
62 | 69 |
|
63 | | -### Kubernetes Operator Deployment |
| 70 | +## Kubernetes Operator Deployment with Connect |
64 | 71 |
|
65 | 72 | #### Create Kubernetes Secret for OP_CONNECT_TOKEN #### |
66 | 73 |
|
@@ -118,6 +125,64 @@ make deploy |
118 | 125 | make undeploy |
119 | 126 | ``` |
120 | 127 |
|
| 128 | +## Kubernetes Operator Deployment with Service Account |
| 129 | + |
| 130 | +#### Create Kubernetes Secret for OP_SERVICE_ACCOUNT_TOKEN #### |
| 131 | + |
| 132 | +Create a Service Account token for the operator and save it as a Kubernetes Secret: |
| 133 | + |
| 134 | +```bash |
| 135 | +kubectl create secret generic onepassword-service-account-token --from-literal=token="$OP_SERVICE_ACCOUNT_TOKEN" |
| 136 | +``` |
| 137 | + |
| 138 | +If you do not have a token for the operator, you can generate a token and save it to Kubernetes with the following command: |
| 139 | + |
| 140 | +```bash |
| 141 | +kubectl create secret generic onepassword-service-account-token --from-literal=token=$(op service-account create my-service-account --vault Dev:read_items --vault Test:read_items,write_items) |
| 142 | +``` |
| 143 | + |
| 144 | +**Deploying the Operator** |
| 145 | + |
| 146 | +An sample Deployment yaml can be found at `/config/manager/manager.yaml`. |
| 147 | +To use Operator with Service Account, you need to set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable in the `/config/manager/manager.yaml`. And remove `OP_CONNECT_TOKEN` and `OP_CONNECT_HOST` environment variables. |
| 148 | + |
| 149 | +To further configure the 1Password Kubernetes Operator the following Environment variables can be set in the operator yaml: |
| 150 | + |
| 151 | +- **OP_SERVICE_ACCOUNT_TOKEN** *(required)*: Specifies Service Account token within Kubernetes to access the 1Password items. |
| 152 | +- **WATCH_NAMESPACE:** *(default: watch all namespaces)*: Comma separated list of what Namespaces to watch for changes. |
| 153 | +- **POLLING_INTERVAL** *(default: 600)*: The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password. |
| 154 | +- **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section. |
| 155 | + |
| 156 | +You can also set the logging level by setting `--zap-log-level` as an arg on the containers to either `debug`, `info` or `error`. (Note: the default value is `debug`.) |
| 157 | + |
| 158 | +Example: |
| 159 | +```yaml |
| 160 | +. |
| 161 | +. |
| 162 | +. |
| 163 | +containers: |
| 164 | + - command: |
| 165 | + - /manager |
| 166 | + args: |
| 167 | + - --leader-elect |
| 168 | + - --zap-log-level=info |
| 169 | + image: 1password/onepassword-operator:latest |
| 170 | +. |
| 171 | +. |
| 172 | +. |
| 173 | +``` |
| 174 | +To deploy the operator, simply run the following command: |
| 175 | + |
| 176 | +```shell |
| 177 | +make deploy |
| 178 | +``` |
| 179 | + |
| 180 | +**Undeploy Operator** |
| 181 | + |
| 182 | +``` |
| 183 | +make undeploy |
| 184 | +``` |
| 185 | + |
121 | 186 | ## Usage |
122 | 187 |
|
123 | 188 | To create a Kubernetes Secret from a 1Password item, create a yaml file with the following |
|
0 commit comments