Merge branch 'vzt/service-accounts-support' into vzt/fix-context

# Conflicts: # USAGEGUIDE.md # cmd/main.go # pkg/onepassword/client/client.go # pkg/onepassword/items.go
2025-10-22 07:28:06 +00:00 · 2025-06-17 13:21:39 -05:00
parent 83b294690a b717823fd0
commit 13abcb9c8f
19 changed files with 142 additions and 119 deletions
--- a/.VERSION
+++ b/.VERSION
@@ -1 +1 @@
-1.9.0
+1.8.1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,14 +12,6 @@
 ---
 [//]: # (START/v1.9.0)
 # v1.9.0
 ## Features
 * Support Service Accounts. {#160}
 ---
 [//]: # (START/v1.8.1)
 # v1.8.1
--- a/2
+++ b/2
@@ -24,7 +24,7 @@ COPY version/ version/
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 RUN CGO_ENABLED=0 \
-    GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} GO111MODULE=on \
+    GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
    go build \
    -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \
    -a -o manager cmd/main.go
--- a/USAGEGUIDE.md
+++ b/USAGEGUIDE.md
@@ -107,7 +107,8 @@ containers:
 ---
-## [Usage examples](https://developer.1password.com/docs/k8s/operator/?deployment-type=manual#usage-examples)
+## Usage examples
 Find usage [examples](https://developer.1password.com/docs/k8s/operator/?deployment-type=manual#usage-examples) on 1Password developer documentation.
 ---
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -156,7 +156,10 @@ func main() {
 	}
 	// Setup One Password Client
-	opClient, err := opclient.NewClient(ctx, version.OperatorVersion)
+	opClient, err := opclient.NewFromEnvironment(ctx, opclient.Config{
 		Logger:  setupLog,
 		Version: version.OperatorVersion,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to create 1Password client")
 		os.Exit(1)
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -75,25 +75,33 @@ spec:
        image: 1password/onepassword-operator:latest
        name: manager
        env:
-          - name: WATCH_NAMESPACE
+          - name: OPERATOR_NAME
-            value: "default"
+            value: "onepassword-connect-operator"
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
-          - name: OPERATOR_NAME
+          - name: WATCH_NAMESPACE
-            value: "onepassword-connect-operator"
+            value: "default"
          - name: OP_CONNECT_HOST
            value: "http://onepassword-connect:8080"
          - name: POLLING_INTERVAL
            value: "10"
          - name: AUTO_RESTART
            value: "false"
          - name: OP_CONNECT_HOST
            value: "http://onepassword-connect:8080"
          - name: OP_CONNECT_TOKEN
            valueFrom:
              secretKeyRef:
                name: onepassword-token
                key: token
-          - name: AUTO_RESTART
+          - name: MANAGE_CONNECT
            value: "false"
 #            Uncomment the following lines to enable service account token and comment out the OP_CONNECT_TOKEN, OP_CONNECT_HOST and MANAGE_CONNECT env vars.
 #          - name: OP_SERVICE_ACCOUNT_TOKEN
 #            valueFrom:
 #              secretKeyRef:
 #                name: onepassword-service-account-token
 #                key: token
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
--- a/internal/controller/suite_test.go
+++ b/internal/controller/suite_test.go
@@ -26,7 +26,6 @@ package controller
 import (
 	"context"
 	"github.com/stretchr/testify/mock"
 	"path/filepath"
 	"regexp"
 	"testing"
@@ -34,6 +33,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/stretchr/testify/mock"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -2,16 +2,13 @@ package kubernetessecrets
 import (
 	"context"
 	errs "errors"
 	"fmt"
-	"github.com/1Password/onepassword-operator/pkg/onepassword/model"
+	"reflect"
 	"regexp"
 	"strings"
-	"reflect"
+	"github.com/1Password/onepassword-operator/pkg/onepassword/model"
 	errs "errors"
 	"github.com/1Password/onepassword-operator/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
--- a/pkg/onepassword/client/client.go
+++ b/pkg/onepassword/client/client.go
@@ -3,9 +3,10 @@ package client
 import (
 	"context"
 	"errors"
 	"fmt"
 	"os"
 	"github.com/go-logr/logr"
 	"github.com/1Password/onepassword-operator/pkg/onepassword/client/connect"
 	"github.com/1Password/onepassword-operator/pkg/onepassword/client/sdk"
 	"github.com/1Password/onepassword-operator/pkg/onepassword/model"
@@ -19,8 +20,13 @@ type Client interface {
 	GetVaultsByTitle(ctx context.Context, title string) ([]model.Vault, error)
 }
-// NewClient creates a new 1Password client based on the provided configuration.
+type Config struct {
-func NewClient(ctx context.Context, integrationVersion string) (Client, error) {
+	Logger  logr.Logger
 	Version string
 }
 // NewFromEnvironment creates a new 1Password client based on the provided configuration.
 func NewFromEnvironment(ctx context.Context, cfg Config) (Client, error) {
 	connectHost, _ := os.LookupEnv("OP_CONNECT_HOST")
 	connectToken, _ := os.LookupEnv("OP_CONNECT_TOKEN")
 	serviceAccountToken, _ := os.LookupEnv("OP_SERVICE_ACCOUNT_TOKEN")
@@ -30,16 +36,16 @@ func NewClient(ctx context.Context, integrationVersion string) (Client, error) {
 	}
 	if serviceAccountToken != "" {
-		fmt.Printf("Using Service Account Token")
+		cfg.Logger.Info("Using Service Account Token")
 		return sdk.NewClient(ctx, sdk.Config{
 			ServiceAccountToken: serviceAccountToken,
 			IntegrationName:     "1password-operator",
-			IntegrationVersion:  integrationVersion,
+			IntegrationVersion:  cfg.Version,
 		})
 	}
 	if connectHost != "" && connectToken != "" {
-		fmt.Printf("Using Connect")
+		cfg.Logger.Info("Using 1Password Connect")
 		return connect.NewClient(connect.Config{
 			ConnectHost:  connectHost,
 			ConnectToken: connectToken,
--- a/pkg/onepassword/client/connect/connect.go
+++ b/pkg/onepassword/client/connect/connect.go
@@ -13,7 +13,6 @@ import (
 type Config struct {
 	ConnectHost  string
 	ConnectToken string
 	UserAgent    string
 }
 // Connect is a client for interacting with 1Password using the Connect API.
@@ -31,7 +30,7 @@ func NewClient(config Config) *Connect {
 func (c *Connect) GetItemByID(ctx context.Context, vaultID, itemID string) (*model.Item, error) {
 	connectItem, err := c.client.GetItemByUUID(itemID, vaultID)
 	if err != nil {
-		return nil, fmt.Errorf("1password Connect error: %w", err)
+		return nil, fmt.Errorf("1Password Connect error: %w", err)
 	}
 	var item model.Item
@@ -43,14 +42,14 @@ func (c *Connect) GetItemsByTitle(ctx context.Context, vaultID, itemTitle string
 	// Get all items in the vault with the specified title
 	connectItems, err := c.client.GetItemsByTitle(itemTitle, vaultID)
 	if err != nil {
-		return nil, fmt.Errorf("1password Connect error: %w", err)
+		return nil, fmt.Errorf("1Password Connect error: %w", err)
 	}
-	var items []model.Item
+	items := make([]model.Item, len(connectItems))
-	for _, connectItem := range connectItems {
+	for i, connectItem := range connectItems {
 		var item model.Item
 		item.FromConnectItem(&connectItem)
-		items = append(items, item)
+		items[i] = item
 	}
 	return items, nil
@@ -61,7 +60,7 @@ func (c *Connect) GetFileContent(ctx context.Context, vaultID, itemID, fileID st
 		ContentPath: fmt.Sprintf("/v1/vaults/%s/items/%s/files/%s/content", vaultID, itemID, fileID),
 	})
 	if err != nil {
-		return nil, fmt.Errorf("1password Connect error: %w", err)
+		return nil, fmt.Errorf("1Password Connect error: %w", err)
 	}
 	return bytes, nil
@@ -70,7 +69,7 @@ func (c *Connect) GetFileContent(ctx context.Context, vaultID, itemID, fileID st
 func (c *Connect) GetVaultsByTitle(ctx context.Context, vaultQuery string) ([]model.Vault, error) {
 	connectVaults, err := c.client.GetVaultsByTitle(vaultQuery)
 	if err != nil {
-		return nil, fmt.Errorf("1password Connect error: %w", err)
+		return nil, fmt.Errorf("1Password Connect error: %w", err)
 	}
 	var vaults []model.Vault
@@ -81,6 +80,5 @@ func (c *Connect) GetVaultsByTitle(ctx context.Context, vaultQuery string) ([]mo
 			vaults = append(vaults, vault)
 		}
 	}
 	return vaults, nil
 }
--- a/pkg/onepassword/client/connect/connect_test.go
+++ b/pkg/onepassword/client/connect/connect_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/require"
@@ -160,6 +161,7 @@ func TestConnect_GetFileContent(t *testing.T) {
 }
 func TestConnect_GetVaultsByTitle(t *testing.T) {
 	now := time.Now()
 	testCases := map[string]struct {
 		mockClient func() *mock.ConnectClientMock
 		check      func(t *testing.T, vaults []model.Vault, err error)
@@ -169,12 +171,14 @@ func TestConnect_GetVaultsByTitle(t *testing.T) {
 				mockConnectClient := &mock.ConnectClientMock{}
 				mockConnectClient.On("GetVaultsByTitle", VaultTitleEmployee).Return([]onepassword.Vault{
 					{
-						ID:   "test-id",
+						ID:        "test-id",
-						Name: VaultTitleEmployee,
+						Name:      VaultTitleEmployee,
 						CreatedAt: now,
 					},
 					{
-						ID:   "test-id-2",
+						ID:        "test-id-2",
-						Name: "Some other vault",
+						Name:      "Some other vault",
 						CreatedAt: now,
 					},
 				}, nil)
 				return mockConnectClient
@@ -183,6 +187,7 @@ func TestConnect_GetVaultsByTitle(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, vaults, 1)
 				require.Equal(t, "test-id", vaults[0].ID)
 				require.Equal(t, now, vaults[0].CreatedAt)
 			},
 		},
 		"should return a two vaults": {
@@ -190,12 +195,14 @@ func TestConnect_GetVaultsByTitle(t *testing.T) {
 				mockConnectClient := &mock.ConnectClientMock{}
 				mockConnectClient.On("GetVaultsByTitle", VaultTitleEmployee).Return([]onepassword.Vault{
 					{
-						ID:   "test-id",
+						ID:        "test-id",
-						Name: VaultTitleEmployee,
+						Name:      VaultTitleEmployee,
 						CreatedAt: now,
 					},
 					{
-						ID:   "test-id-2",
+						ID:        "test-id-2",
-						Name: VaultTitleEmployee,
+						Name:      VaultTitleEmployee,
 						CreatedAt: now,
 					},
 				}, nil)
 				return mockConnectClient
@@ -205,8 +212,10 @@ func TestConnect_GetVaultsByTitle(t *testing.T) {
 				require.Len(t, vaults, 2)
 				// Check the first vault
 				require.Equal(t, "test-id", vaults[0].ID)
 				require.Equal(t, now, vaults[0].CreatedAt)
 				// Check the second vault
 				require.Equal(t, "test-id-2", vaults[1].ID)
 				require.Equal(t, now, vaults[1].CreatedAt)
 			},
 		},
 		"should return an error": {
--- a/pkg/onepassword/client/sdk/sdk.go
+++ b/pkg/onepassword/client/sdk/sdk.go
@@ -26,7 +26,7 @@ func NewClient(ctx context.Context, config Config) (*SDK, error) {
 		sdk.WithIntegrationInfo(config.IntegrationName, config.IntegrationVersion),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("1password sdk error: %w", err)
+		return nil, fmt.Errorf("1Password sdk error: %w", err)
 	}
 	return &SDK{
@@ -37,7 +37,7 @@ func NewClient(ctx context.Context, config Config) (*SDK, error) {
 func (s *SDK) GetItemByID(ctx context.Context, vaultID, itemID string) (*model.Item, error) {
 	sdkItem, err := s.client.Items().Get(ctx, vaultID, itemID)
 	if err != nil {
-		return nil, fmt.Errorf("1password sdk error: %w", err)
+		return nil, fmt.Errorf("1Password sdk error: %w", err)
 	}
 	var item model.Item
@@ -49,7 +49,7 @@ func (s *SDK) GetItemsByTitle(ctx context.Context, vaultID, itemTitle string) ([
 	// Get all items in the vault
 	sdkItems, err := s.client.Items().List(ctx, vaultID)
 	if err != nil {
-		return nil, fmt.Errorf("1password sdk error: %w", err)
+		return nil, fmt.Errorf("1Password sdk error: %w", err)
 	}
 	// Filter items by title
@@ -70,7 +70,7 @@ func (s *SDK) GetFileContent(ctx context.Context, vaultID, itemID, fileID string
 		ID: fileID,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("1password sdk error: %w", err)
+		return nil, fmt.Errorf("1Password sdk error: %w", err)
 	}
 	return bytes, nil
@@ -80,7 +80,7 @@ func (s *SDK) GetVaultsByTitle(ctx context.Context, title string) ([]model.Vault
 	// List all vaults
 	sdkVaults, err := s.client.Vaults().List(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("1password sdk error: %w", err)
+		return nil, fmt.Errorf("1Password sdk error: %w", err)
 	}
 	// Filter vaults by title
--- a/pkg/onepassword/client/sdk/sdk_test.go
+++ b/pkg/onepassword/client/sdk/sdk_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
@@ -23,7 +24,7 @@ func TestSDK_GetItemByID(t *testing.T) {
 		mockItemAPI func() *clientmock.ItemAPIMock
 		check       func(t *testing.T, item *model.Item, err error)
 	}{
-		"should return a single vault": {
+		"should return a single item": {
 			mockItemAPI: func() *clientmock.ItemAPIMock {
 				m := &clientmock.ItemAPIMock{}
 				m.On("Get", context.Background(), "vault-id", "item-id").Return(*sdkItem, nil)
@@ -103,6 +104,17 @@ func TestSDK_GetItemsByTitle(t *testing.T) {
 				clienttesting.CheckSDKItemOverviewMapping(t, sdkItem2, &items[1])
 			},
 		},
 		"should return empty list": {
 			mockItemAPI: func() *clientmock.ItemAPIMock {
 				m := &clientmock.ItemAPIMock{}
 				m.On("List", context.Background(), "vault-id", mock.Anything).Return([]sdk.ItemOverview{}, nil)
 				return m
 			},
 			check: func(t *testing.T, items []model.Item, err error) {
 				require.NoError(t, err)
 				require.Len(t, items, 0)
 			},
 		},
 		"should return an error": {
 			mockItemAPI: func() *clientmock.ItemAPIMock {
 				m := &clientmock.ItemAPIMock{}
@@ -191,8 +203,8 @@ func TestSDK_GetFileContent(t *testing.T) {
 	}
 }
 // TODO: check CreatedAt as soon as a new SDK version returns it
 func TestSDK_GetVaultsByTitle(t *testing.T) {
 	now := time.Now()
 	testCases := map[string]struct {
 		mockVaultAPI func() *clientmock.VaultAPIMock
 		check        func(t *testing.T, vaults []model.Vault, err error)
@@ -202,12 +214,14 @@ func TestSDK_GetVaultsByTitle(t *testing.T) {
 				m := &clientmock.VaultAPIMock{}
 				m.On("List", context.Background()).Return([]sdk.VaultOverview{
 					{
-						ID:    "test-id",
+						ID:        "test-id",
-						Title: VaultTitleEmployee,
+						Title:     VaultTitleEmployee,
 						CreatedAt: now,
 					},
 					{
-						ID:    "test-id-2",
+						ID:        "test-id-2",
-						Title: "Some other vault",
+						Title:     "Some other vault",
 						CreatedAt: now,
 					},
 				}, nil)
 				return m
@@ -216,6 +230,7 @@ func TestSDK_GetVaultsByTitle(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, vaults, 1)
 				require.Equal(t, "test-id", vaults[0].ID)
 				require.Equal(t, now, vaults[0].CreatedAt)
 			},
 		},
 		"should return a two vaults": {
@@ -223,12 +238,14 @@ func TestSDK_GetVaultsByTitle(t *testing.T) {
 				m := &clientmock.VaultAPIMock{}
 				m.On("List", context.Background()).Return([]sdk.VaultOverview{
 					{
-						ID:    "test-id",
+						ID:        "test-id",
-						Title: VaultTitleEmployee,
+						Title:     VaultTitleEmployee,
 						CreatedAt: now,
 					},
 					{
-						ID:    "test-id-2",
+						ID:        "test-id-2",
-						Title: VaultTitleEmployee,
+						Title:     VaultTitleEmployee,
 						CreatedAt: now,
 					},
 				}, nil)
 				return m
@@ -238,8 +255,10 @@ func TestSDK_GetVaultsByTitle(t *testing.T) {
 				require.Len(t, vaults, 2)
 				// Check the first vault
 				require.Equal(t, "test-id", vaults[0].ID)
 				require.Equal(t, now, vaults[0].CreatedAt)
 				// Check the second vault
 				require.Equal(t, "test-id-2", vaults[1].ID)
 				require.Equal(t, now, vaults[1].CreatedAt)
 			},
 		},
 		"should return an error": {
--- a/pkg/onepassword/client/testing/mock/connect.go
+++ b/pkg/onepassword/client/testing/mock/connect.go
@@ -12,7 +12,7 @@ type ConnectClientMock struct {
 }
 func (c *ConnectClientMock) GetVaults() ([]onepassword.Vault, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
@@ -22,12 +22,12 @@ func (c *ConnectClientMock) GetVault(uuid string) (*onepassword.Vault, error) {
 }
 func (c *ConnectClientMock) GetVaultByUUID(uuid string) (*onepassword.Vault, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) GetVaultByTitle(title string) (*onepassword.Vault, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
@@ -37,12 +37,12 @@ func (c *ConnectClientMock) GetVaultsByTitle(title string) ([]onepassword.Vault,
 }
 func (c *ConnectClientMock) GetItems(vaultQuery string) ([]onepassword.Item, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) GetItem(itemQuery, vaultQuery string) (*onepassword.Item, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
@@ -52,7 +52,7 @@ func (c *ConnectClientMock) GetItemByUUID(uuid string, vaultQuery string) (*onep
 }
 func (c *ConnectClientMock) GetItemByTitle(title string, vaultQuery string) (*onepassword.Item, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
@@ -62,37 +62,37 @@ func (c *ConnectClientMock) GetItemsByTitle(title string, vaultQuery string) ([]
 }
 func (c *ConnectClientMock) CreateItem(item *onepassword.Item, vaultQuery string) (*onepassword.Item, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) UpdateItem(item *onepassword.Item, vaultQuery string) (*onepassword.Item, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) DeleteItem(item *onepassword.Item, vaultQuery string) error {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) DeleteItemByID(itemUUID string, vaultQuery string) error {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) DeleteItemByTitle(title string, vaultQuery string) error {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) GetFiles(itemQuery string, vaultQuery string) ([]onepassword.File, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) GetFile(uuid string, itemQuery string, vaultQuery string) (*onepassword.File, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
@@ -105,26 +105,26 @@ func (c *ConnectClientMock) GetFileContent(file *onepassword.File) ([]byte, erro
 }
 func (c *ConnectClientMock) DownloadFile(file *onepassword.File, targetDirectory string, overwrite bool) (string, error) {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) LoadStructFromItemByUUID(config interface{}, itemUUID string, vaultQuery string) error {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) LoadStructFromItemByTitle(config interface{}, itemTitle string, vaultQuery string) error {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) LoadStructFromItem(config interface{}, itemQuery string, vaultQuery string) error {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
 func (c *ConnectClientMock) LoadStruct(config interface{}) error {
-	//TODO implement me
+	// Only implement this if mocking is needed
 	panic("implement me")
 }
--- a/pkg/onepassword/items.go
+++ b/pkg/onepassword/items.go
@@ -14,18 +14,18 @@ import (
 var logger = logf.Log.WithName("retrieve_item")
 func GetOnePasswordItemByPath(ctx context.Context, opClient opclient.Client, path string) (*model.Item, error) {
-	vaultIdentifier, itemIdentifier, err := ParseVaultAndItemFromPath(path)
+	vaultNameOrID, itemNameOrID, err := ParseVaultAndItemFromPath(path)
 	if err != nil {
 		return nil, err
 	}
-	vaultID, err := getVaultID(ctx, opClient, vaultIdentifier)
+	vaultID, err := getVaultID(ctx, opClient, vaultNameOrID)
 	if err != nil {
-		return nil, fmt.Errorf("failed to 'getVaultID' for vaultIdentifier='%s': %w", vaultIdentifier, err)
+		return nil, fmt.Errorf("failed to 'getVaultID' for vaultNameOrID='%s': %w", vaultNameOrID, err)
 	}
-	itemID, err := getItemID(ctx, opClient, vaultID, itemIdentifier)
+	itemID, err := getItemID(ctx, opClient, vaultID, itemNameOrID)
 	if err != nil {
-		return nil, fmt.Errorf("faild to 'getItemID' for vaultID='%s' and itemIdentifier='%s': %w", vaultID, itemIdentifier, err)
+		return nil, fmt.Errorf("faild to 'getItemID' for vaultID='%s' and itemNameOrID='%s': %w", vaultID, itemNameOrID, err)
 	}
 	item, err := opClient.GetItemByID(ctx, vaultID, itemID)
@@ -51,15 +51,15 @@ func ParseVaultAndItemFromPath(path string) (string, string, error) {
 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
 }
-func getVaultID(ctx context.Context, client opclient.Client, vaultIdentifier string) (string, error) {
+func getVaultID(ctx context.Context, client opclient.Client, vaultNameOrID string) (string, error) {
-	if !IsValidClientUUID(vaultIdentifier) {
+	if !IsValidClientUUID(vaultNameOrID) {
-		vaults, err := client.GetVaultsByTitle(ctx, vaultIdentifier)
+		vaults, err := client.GetVaultsByTitle(ctx, vaultNameOrID)
 		if err != nil {
 			return "", err
 		}
 		if len(vaults) == 0 {
-			return "", fmt.Errorf("No vaults found with identifier %q", vaultIdentifier)
+			return "", fmt.Errorf("No vaults found with identifier %q", vaultNameOrID)
 		}
 		oldestVault := vaults[0]
@@ -69,22 +69,22 @@ func getVaultID(ctx context.Context, client opclient.Client, vaultIdentifier str
 					oldestVault = returnedVault
 				}
 			}
-			logger.Info(fmt.Sprintf("%v 1Password vaults found with the title %q. Will use vault %q as it is the oldest.", len(vaults), vaultIdentifier, oldestVault.ID))
+			logger.Info(fmt.Sprintf("%v 1Password vaults found with the title %q. Will use vault %q as it is the oldest.", len(vaults), vaultNameOrID, oldestVault.ID))
 		}
-		vaultIdentifier = oldestVault.ID
+		vaultNameOrID = oldestVault.ID
 	}
-	return vaultIdentifier, nil
+	return vaultNameOrID, nil
 }
-func getItemID(ctx context.Context, client opclient.Client, vaultId, itemIdentifier string) (string, error) {
+func getItemID(ctx context.Context, client opclient.Client, vaultId, itemNameOrID string) (string, error) {
-	if !IsValidClientUUID(itemIdentifier) {
+	if !IsValidClientUUID(itemNameOrID) {
-		items, err := client.GetItemsByTitle(ctx, vaultId, itemIdentifier)
+		items, err := client.GetItemsByTitle(ctx, vaultId, itemNameOrID)
 		if err != nil {
 			return "", err
 		}
 		if len(items) == 0 {
-			return "", fmt.Errorf("No items found with identifier %q", itemIdentifier)
+			return "", fmt.Errorf("No items found with identifier %q", itemNameOrID)
 		}
 		oldestItem := items[0]
@@ -94,9 +94,9 @@ func getItemID(ctx context.Context, client opclient.Client, vaultId, itemIdentif
 					oldestItem = returnedItem
 				}
 			}
-			logger.Info(fmt.Sprintf("%v 1Password items found with the title %q. Will use item %q as it is the oldest.", len(items), itemIdentifier, oldestItem.ID))
+			logger.Info(fmt.Sprintf("%v 1Password items found with the title %q. Will use item %q as it is the oldest.", len(items), itemNameOrID, oldestItem.ID))
 		}
-		itemIdentifier = oldestItem.ID
+		itemNameOrID = oldestItem.ID
 	}
-	return itemIdentifier, nil
+	return itemNameOrID, nil
 }
--- a/pkg/onepassword/model/item.go
+++ b/pkg/onepassword/model/item.go
@@ -52,9 +52,8 @@ func (i *Item) FromSDKItem(item *sdk.Item) {
 	i.VaultID = item.VaultID
 	i.Version = int(item.Version)
-	for _, tag := range item.Tags {
+	i.Tags = make([]string, len(item.Tags))
-		i.Tags = append(i.Tags, tag)
+	copy(i.Tags, item.Tags)
 	}
 	for _, field := range item.Fields {
 		i.Fields = append(i.Fields, ItemField{
@@ -79,9 +78,8 @@ func (i *Item) FromSDKItemOverview(item *sdk.ItemOverview) {
 	i.ID = item.ID
 	i.VaultID = item.VaultID
-	for _, tag := range item.Tags {
+	i.Tags = make([]string, len(item.Tags))
-		i.Tags = append(i.Tags, tag)
+	copy(i.Tags, item.Tags)
 	}
 	i.CreatedAt = item.CreatedAt
 }
--- a/pkg/onepassword/model/vault.go
+++ b/pkg/onepassword/model/vault.go
@@ -19,5 +19,5 @@ func (v *Vault) FromConnectVault(vault *connect.Vault) {
 func (v *Vault) FromSDKVault(vault *sdk.VaultOverview) {
 	v.ID = vault.ID
-	v.CreatedAt = time.Now() // TODO: add to SDK and use it instead of time.Now()
+	v.CreatedAt = vault.CreatedAt
 }
--- a/pkg/onepassword/model/vault_test.go
+++ b/pkg/onepassword/model/vault_test.go
@@ -23,14 +23,15 @@ func TestVault_FromConnectVault(t *testing.T) {
 	require.Equal(t, connectVault.CreatedAt, vault.CreatedAt)
 }
 // TODO: check CreatedAt when available
 func TestVault_FromSDKVault(t *testing.T) {
 	sdkVault := &sdk.VaultOverview{
-		ID: "test-id",
+		ID:        "test-id",
 		CreatedAt: time.Now(),
 	}
 	vault := &Vault{}
 	vault.FromSDKVault(sdkVault)
 	require.Equal(t, sdkVault.ID, vault.ID)
 	require.Equal(t, sdkVault.CreatedAt, vault.CreatedAt)
 }
--- a/pkg/onepassword/secret_update_handler_test.go
+++ b/pkg/onepassword/secret_update_handler_test.go
@@ -807,15 +807,6 @@ func TestUpdateSecretHandler(t *testing.T) {
 			mockOpClient := &mocks.TestClient{}
 			mockOpClient.On("GetItemByID", mock.Anything, mock.Anything).Return(createItem(), nil)
 			//mocks.DoGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
 			//
 			//	item := onepassword.Item{}
 			//	item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
 			//	item.Version = itemVersion
 			//	item.Vault.ID = vaultUUID
 			//	item.ID = uuid
 			//	return &item, nil
 			//}
 			h := &SecretUpdateHandler{
 				client:                             cl,
 				opClient:                           mockOpClient,