diff --git a/config/crd/bases/onepassword.com_onepassworditems_crd.yaml b/config/crd/bases/onepassword.com_onepassworditems_crd.yaml new file mode 100644 index 0000000..2a8dc9e --- /dev/null +++ b/config/crd/bases/onepassword.com_onepassworditems_crd.yaml @@ -0,0 +1,45 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: onepassworditems.onepassword.com +spec: + group: onepassword.com + names: + kind: OnePasswordItem + listKind: OnePasswordItemList + plural: onepassworditems + singular: onepassworditem + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + description: OnePasswordItem is the Schema for the onepassworditems API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: OnePasswordItemSpec defines the desired state of OnePasswordItem + properties: + itemPath: + type: string + type: object + status: + description: OnePasswordItemStatus defines the observed state of OnePasswordItem + type: object + type: + description: 'Kubernetes secret type. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types' + type: string + type: object diff --git a/config/crd/bases/onepassword.com_v1_onepassworditem_cr.yaml b/config/crd/bases/onepassword.com_v1_onepassworditem_cr.yaml new file mode 100644 index 0000000..8afe8fc --- /dev/null +++ b/config/crd/bases/onepassword.com_v1_onepassworditem_cr.yaml @@ -0,0 +1,6 @@ +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: example +spec: + itemPath: "vaults//items/" diff --git a/config/crd/connect/deployment.yaml b/config/crd/connect/deployment.yaml new file mode 100644 index 0000000..a68d624 --- /dev/null +++ b/config/crd/connect/deployment.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: onepassword-connect +spec: + selector: + matchLabels: + app: onepassword-connect + template: + metadata: + labels: + app: onepassword-connect + version: "1.0.0" + spec: + volumes: + - name: shared-data + emptyDir: {} + - name: credentials + secret: + secretName: op-credentials + initContainers: + - name: sqlite-permissions + image: alpine:3.12 + command: + - "/bin/sh" + - "-c" + args: + - "mkdir -p /home/opuser/.op/data && chown -R 999 /home/opuser && chmod -R 700 /home/opuser && chmod -f -R 600 /home/opuser/.op/config || :" + volumeMounts: + - mountPath: /home/opuser/.op/data + name: shared-data + containers: + - name: connect-api + image: 1password/connect-api:latest + resources: + limits: + memory: "128Mi" + cpu: "0.2" + ports: + - containerPort: 8080 + env: + - name: OP_SESSION + valueFrom: + secretKeyRef: + name: op-credentials + key: op-session + volumeMounts: + - mountPath: /home/opuser/.op/data + name: shared-data + - name: connect-sync + image: 1password/connect-sync:latest + resources: + limits: + memory: "128Mi" + cpu: "0.2" + ports: + - containerPort: 8081 + env: + - name: OP_HTTP_PORT + value: "8081" + - name: OP_SESSION + valueFrom: + secretKeyRef: + name: op-credentials + key: op-session + volumeMounts: + - mountPath: /home/opuser/.op/data + name: shared-data diff --git a/config/crd/connect/service.yaml b/config/crd/connect/service.yaml new file mode 100644 index 0000000..8b154ac --- /dev/null +++ b/config/crd/connect/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: onepassword-connect +spec: + type: NodePort + selector: + app: onepassword-connect + ports: + - port: 8080 + name: connect-api + nodePort: 31080 + - port: 8081 + name: connect-sync + nodePort: 31081 diff --git a/config/crd/operator.yaml b/config/crd/operator.yaml new file mode 100644 index 0000000..f00aaf4 --- /dev/null +++ b/config/crd/operator.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: onepassword-connect-operator +spec: + replicas: 1 + selector: + matchLabels: + name: onepassword-connect-operator + template: + metadata: + labels: + name: onepassword-connect-operator + spec: + serviceAccountName: onepassword-connect-operator + containers: + - name: onepassword-connect-operator + image: 1password/onepassword-operator + command: ["/manager"] + env: + - name: WATCH_NAMESPACE + value: "default" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "onepassword-connect-operator" + - name: OP_CONNECT_HOST + value: "http://onepassword-connect:8080" + - name: POLLING_INTERVAL + value: "10" + - name: OP_CONNECT_TOKEN + valueFrom: + secretKeyRef: + name: onepassword-token + key: token + - name: AUTO_RESTART + value: "false" diff --git a/config/crd/operator_multi_namespace_example.yaml b/config/crd/operator_multi_namespace_example.yaml new file mode 100644 index 0000000..5428265 --- /dev/null +++ b/config/crd/operator_multi_namespace_example.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: onepassword-connect-operator +spec: + replicas: 1 + selector: + matchLabels: + name: onepassword-connect-operator + template: + metadata: + labels: + name: onepassword-connect-operator + spec: + serviceAccountName: onepassword-connect-operator + containers: + - name: onepassword-connect-operator + image: 1password/onepassword-operator + command: ["/manager"] + env: + - name: WATCH_NAMESPACE + value: "default,development" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "onepassword-connect-operator" + - name: OP_CONNECT_HOST + value: "http://onepassword-connect:8080" + - name: POLLING_INTERVAL + value: "10" + - name: OP_CONNECT_TOKEN + valueFrom: + secretKeyRef: + name: onepassword-token + key: token + - name: AUTO_RESTART + value: "false" diff --git a/config/crd/permissions.yaml b/config/crd/permissions.yaml new file mode 100644 index 0000000..d90fbd0 --- /dev/null +++ b/config/crd/permissions.yaml @@ -0,0 +1,100 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: onepassword-connect-operator +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: onepassword-connect-operator-default + namespace: default +subjects: +- kind: ServiceAccount + name: onepassword-connect-operator + namespace: default +roleRef: + kind: ClusterRole + name: onepassword-connect-operator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: onepassword-connect-operator +rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - namespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - onepassword-connect-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get +- apiGroups: + - onepassword.com + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch \ No newline at end of file diff --git a/config/crd/permissions_multi_namespace_example.yaml b/config/crd/permissions_multi_namespace_example.yaml new file mode 100644 index 0000000..ae9e081 --- /dev/null +++ b/config/crd/permissions_multi_namespace_example.yaml @@ -0,0 +1,114 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: onepassword-connect-operator +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: onepassword-connect-operator-default + namespace: default +subjects: +- kind: ServiceAccount + name: onepassword-connect-operator + namespace: default +roleRef: + kind: ClusterRole + name: onepassword-connect-operator + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: onepassword-connect-operator-development + namespace: development +subjects: +- kind: ServiceAccount + name: onepassword-connect-operator + namespace: default +roleRef: + kind: ClusterRole + name: onepassword-connect-operator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: onepassword-connect-operator +rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - namespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - onepassword-connect-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get +- apiGroups: + - onepassword.com + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch