Use 1Password Client to initialize operator either with Connect or Service Accounts

2025-10-22 15:38:06 +00:00 · 2025-05-29 17:23:49 -05:00
parent 432f2c6cf6
commit 1498c223a5
8 changed files with 56 additions and 63 deletions
--- a/pkg/onepassword/client/client.go
+++ b/pkg/onepassword/client/client.go
@@ -2,6 +2,7 @@ package client

 import (
 	"errors"
+	"os"

 	"github.com/1Password/onepassword-operator/pkg/onepassword/client/connect"
 	"github.com/1Password/onepassword-operator/pkg/onepassword/client/sdk"
@@ -16,29 +17,24 @@ type Client interface {
 	GetVaultsByTitle(title string) ([]model.Vault, error)
 }

-// Config holds the configuration for creating a new 1Password client.
-type Config struct {
-	ConnectHost         string
-	ConnectToken        string
-	UserAgent           string
-	ServiceAccountToken string
-	IntegrationName     string
-	IntegrationVersion  string
-}
-
 // NewClient creates a new 1Password client based on the provided configuration.
-func NewClient(config Config) (Client, error) {
-	if config.ServiceAccountToken != "" {
+func NewClient(integrationVersion string) (Client, error) {
+	connectHost, _ := os.LookupEnv("OP_CONNECT_HOST")
+	connectToken, _ := os.LookupEnv("OP_CONNECT_TOKEN")
+	serviceAccountToken, _ := os.LookupEnv("OP_SERVICE_ACCOUNT_TOKEN")
+
+	if serviceAccountToken != "" {
 		return sdk.NewClient(sdk.Config{
-			ServiceAccountToken: config.ServiceAccountToken,
-			IntegrationName:     config.IntegrationName,
-			IntegrationVersion:  config.IntegrationVersion,
+			ServiceAccountToken: serviceAccountToken,
+			IntegrationName:     "1password-operator",
+			IntegrationVersion:  integrationVersion,
 		})
-	} else if config.ConnectHost != "" && config.ConnectToken != "" {
+	} else if connectHost != "" && connectToken != "" {
 		return connect.NewClient(connect.Config{
-			ConnectHost:  config.ConnectHost,
-			ConnectToken: config.ConnectToken,
+			ConnectHost:  connectHost,
+			ConnectToken: connectToken,
 		}), nil
 	}
-	return nil, errors.New("invalid configuration. Either Connect or Service Account credentials should be set")
+
+	return nil, errors.New("invalid configuration. Connect or Service Account credentials should be set")
 }
--- a/pkg/onepassword/client/connect/connect.go
+++ b/pkg/onepassword/client/connect/connect.go
@@ -20,9 +20,10 @@ type Connect struct {
 	client connect.Client
 }

+// NewClient creates a new Connect client using provided configuration.
 func NewClient(config Config) *Connect {
 	return &Connect{
-		client: connect.NewClientWithUserAgent(config.ConnectHost, config.ConnectToken, config.UserAgent),
+		client: connect.NewClient(config.ConnectHost, config.ConnectToken),
 	}
 }

--- a/pkg/onepassword/items.go
+++ b/pkg/onepassword/items.go
@@ -4,36 +4,36 @@ import (
 	"fmt"
 	"strings"

-	"github.com/1Password/connect-sdk-go/connect"
-	"github.com/1Password/connect-sdk-go/onepassword"
-
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
+
+	opclient "github.com/1Password/onepassword-operator/pkg/onepassword/client"
+	"github.com/1Password/onepassword-operator/pkg/onepassword/model"
 )

 var logger = logf.Log.WithName("retrieve_item")

-func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*onepassword.Item, error) {
-	vaultValue, itemValue, err := ParseVaultAndItemFromPath(path)
+func GetOnePasswordItemByPath(opClient opclient.Client, path string) (*model.Item, error) {
+	vaultIdentifier, itemIdentifier, err := ParseVaultAndItemFromPath(path)
 	if err != nil {
 		return nil, err
 	}
-	vaultId, err := getVaultId(opConnectClient, vaultValue)
+	vaultID, err := getVaultID(opClient, vaultIdentifier)
 	if err != nil {
 		return nil, err
 	}

-	itemId, err := getItemId(opConnectClient, itemValue, vaultId)
+	itemID, err := getItemID(opClient, vaultID, itemIdentifier)
 	if err != nil {
 		return nil, err
 	}

-	item, err := opConnectClient.GetItem(itemId, vaultId)
+	item, err := opClient.GetItemByID(itemID, vaultID)
 	if err != nil {
 		return nil, err
 	}

 	for _, file := range item.Files {
-		_, err := opConnectClient.GetFileContent(file)
+		_, err := opClient.GetFileContent(vaultID, itemID, file.ID)
 		if err != nil {
 			return nil, err
 		}
@@ -50,7 +50,7 @@ func ParseVaultAndItemFromPath(path string) (string, string, error) {
 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
 }

-func getVaultId(client connect.Client, vaultIdentifier string) (string, error) {
+func getVaultID(client opclient.Client, vaultIdentifier string) (string, error) {
 	if !IsValidClientUUID(vaultIdentifier) {
 		vaults, err := client.GetVaultsByTitle(vaultIdentifier)
 		if err != nil {
@@ -75,7 +75,7 @@ func getVaultId(client connect.Client, vaultIdentifier string) (string, error) {
 	return vaultIdentifier, nil
 }

-func getItemId(client connect.Client, itemIdentifier string, vaultId string) (string, error) {
+func getItemID(client opclient.Client, vaultId, itemIdentifier string) (string, error) {
 	if !IsValidClientUUID(itemIdentifier) {
 		items, err := client.GetItemsByTitle(itemIdentifier, vaultId)
 		if err != nil {
--- a/pkg/onepassword/secret_update_handler.go
+++ b/pkg/onepassword/secret_update_handler.go
@@ -8,10 +8,10 @@ import (
 	onepasswordv1 "github.com/1Password/onepassword-operator/api/v1"
 	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
 	"github.com/1Password/onepassword-operator/pkg/logs"
+	opclient "github.com/1Password/onepassword-operator/pkg/onepassword/client"
+	"github.com/1Password/onepassword-operator/pkg/onepassword/model"
 	"github.com/1Password/onepassword-operator/pkg/utils"

-	"github.com/1Password/connect-sdk-go/connect"
-	"github.com/1Password/connect-sdk-go/onepassword"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -23,17 +23,17 @@ const lockTag = "operator.1password.io:ignore-secret"

 var log = logf.Log.WithName("update_op_kubernetes_secrets_task")

-func NewManager(kubernetesClient client.Client, opConnectClient connect.Client, shouldAutoRestartDeploymentsGlobal bool) *SecretUpdateHandler {
+func NewManager(kubernetesClient client.Client, opClient opclient.Client, shouldAutoRestartDeploymentsGlobal bool) *SecretUpdateHandler {
 	return &SecretUpdateHandler{
 		client:                             kubernetesClient,
-		opConnectClient:                    opConnectClient,
+		opClient:                           opClient,
 		shouldAutoRestartDeploymentsGlobal: shouldAutoRestartDeploymentsGlobal,
 	}
 }

 type SecretUpdateHandler struct {
 	client                             client.Client
-	opConnectClient                    connect.Client
+	opClient                           opclient.Client
 	shouldAutoRestartDeploymentsGlobal bool
 }

@@ -121,14 +121,14 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*

 		OnePasswordItemPath := h.getPathFromOnePasswordItem(secret)

-		item, err := GetOnePasswordItemByPath(h.opConnectClient, OnePasswordItemPath)
+		item, err := GetOnePasswordItemByPath(h.opClient, OnePasswordItemPath)
 		if err != nil {
 			log.Error(err, "failed to retrieve 1Password item at path \"%s\" for secret \"%s\"", secret.Annotations[ItemPathAnnotation], secret.Name)
 			continue
 		}

 		itemVersion := fmt.Sprint(item.Version)
-		itemPathString := fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID)
+		itemPathString := fmt.Sprintf("vaults/%v/items/%v", item.VaultID, item.ID)

 		if currentVersion != itemVersion || secret.Annotations[ItemPathAnnotation] != itemPathString {
 			if isItemLockedForForcedRestarts(item) {
@@ -159,7 +159,7 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 	return updatedSecrets, nil
 }

-func isItemLockedForForcedRestarts(item *onepassword.Item) bool {
+func isItemLockedForForcedRestarts(item *model.Item) bool {
 	tags := item.Tags
 	for i := 0; i < len(tags); i++ {
 		if tags[i] == lockTag {