1Password/onepassword-operator
1
0
Fork 0
mirror of https://github.com/1Password/onepassword-operator.git synced 2025-10-22 07:28:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add crds for connect, 1password items and permissions

Browse Source
This commit is contained in:
Marton Soos
2022-04-15 12:28:59 +02:00
parent 493b311564
commit 209bc7cd17
8 changed files with 426 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
config/crd/bases/onepassword.com_onepassworditems_crd.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: onepassworditems.onepassword.com
spec:
group: onepassword.com
names:
kind: OnePasswordItem
listKind: OnePasswordItemList
plural: onepassworditems
singular: onepassworditem
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
description: OnePasswordItem is the Schema for the onepassworditems API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OnePasswordItemSpec defines the desired state of OnePasswordItem
properties:
itemPath:
type: string
type: object
status:
description: OnePasswordItemStatus defines the observed state of OnePasswordItem
type: object
type:
description: 'Kubernetes secret type. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types'
type: string
type: object

6
config/crd/bases/onepassword.com_v1_onepassworditem_cr.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: example
spec:
itemPath: "vaults/<vault_id>/items/<item_id>"

68
config/crd/connect/deployment.yaml Normal file
View File

@@ -0,0 +1,68 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: onepassword-connect
spec:
selector:
matchLabels:
app: onepassword-connect
template:
metadata:
labels:
app: onepassword-connect
version: "1.0.0"
spec:
volumes:
- name: shared-data
emptyDir: {}
- name: credentials
secret:
secretName: op-credentials
initContainers:
- name: sqlite-permissions
image: alpine:3.12
command:
- "/bin/sh"
- "-c"
args:
- "mkdir -p /home/opuser/.op/data && chown -R 999 /home/opuser && chmod -R 700 /home/opuser && chmod -f -R 600 /home/opuser/.op/config || :"
volumeMounts:
- mountPath: /home/opuser/.op/data
name: shared-data
containers:
- name: connect-api
image: 1password/connect-api:latest
resources:
limits:
memory: "128Mi"
cpu: "0.2"
ports:
- containerPort: 8080
env:
- name: OP_SESSION
valueFrom:
secretKeyRef:
name: op-credentials
key: op-session
volumeMounts:
- mountPath: /home/opuser/.op/data
name: shared-data
- name: connect-sync
image: 1password/connect-sync:latest
resources:
limits:
memory: "128Mi"
cpu: "0.2"
ports:
- containerPort: 8081
env:
- name: OP_HTTP_PORT
value: "8081"
- name: OP_SESSION
valueFrom:
secretKeyRef:
name: op-credentials
key: op-session
volumeMounts:
- mountPath: /home/opuser/.op/data
name: shared-data

15
config/crd/connect/service.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: onepassword-connect
spec:
type: NodePort
selector:
app: onepassword-connect
ports:
- port: 8080
name: connect-api
nodePort: 31080
- port: 8081
name: connect-sync
nodePort: 31081

39
config/crd/operator.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: onepassword-connect-operator
spec:
replicas: 1
selector:
matchLabels:
name: onepassword-connect-operator
template:
metadata:
labels:
name: onepassword-connect-operator
spec:
serviceAccountName: onepassword-connect-operator
containers:
- name: onepassword-connect-operator
image: 1password/onepassword-operator
command: ["/manager"]
env:
- name: WATCH_NAMESPACE
value: "default"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "onepassword-connect-operator"
- name: OP_CONNECT_HOST
value: "http://onepassword-connect:8080"
- name: POLLING_INTERVAL
value: "10"
- name: OP_CONNECT_TOKEN
valueFrom:
secretKeyRef:
name: onepassword-token
key: token
- name: AUTO_RESTART
value: "false"

39
config/crd/operator_multi_namespace_example.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: onepassword-connect-operator
spec:
replicas: 1
selector:
matchLabels:
name: onepassword-connect-operator
template:
metadata:
labels:
name: onepassword-connect-operator
spec:
serviceAccountName: onepassword-connect-operator
containers:
- name: onepassword-connect-operator
image: 1password/onepassword-operator
command: ["/manager"]
env:
- name: WATCH_NAMESPACE
value: "default,development"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "onepassword-connect-operator"
- name: OP_CONNECT_HOST
value: "http://onepassword-connect:8080"
- name: POLLING_INTERVAL
value: "10"
- name: OP_CONNECT_TOKEN
valueFrom:
secretKeyRef:
name: onepassword-token
key: token
- name: AUTO_RESTART
value: "false"

100
config/crd/permissions.yaml Normal file
View File

@@ -0,0 +1,100 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: onepassword-connect-operator
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: onepassword-connect-operator-default
namespace: default
subjects:
- kind: ServiceAccount
name: onepassword-connect-operator
namespace: default
roleRef:
kind: ClusterRole
name: onepassword-connect-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: onepassword-connect-operator
rules:
- apiGroups:
- ""
resources:
- pods
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- namespaces
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- onepassword-connect-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- deployments
verbs:
- get
- apiGroups:
- onepassword.com
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

114
config/crd/permissions_multi_namespace_example.yaml Normal file
View File

@@ -0,0 +1,114 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: onepassword-connect-operator
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: onepassword-connect-operator-default
namespace: default
subjects:
- kind: ServiceAccount
name: onepassword-connect-operator
namespace: default
roleRef:
kind: ClusterRole
name: onepassword-connect-operator
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: onepassword-connect-operator-development
namespace: development
subjects:
- kind: ServiceAccount
name: onepassword-connect-operator
namespace: default
roleRef:
kind: ClusterRole
name: onepassword-connect-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: onepassword-connect-operator
rules:
- apiGroups:
- ""
resources:
- pods
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- namespaces
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- onepassword-connect-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- deployments
verbs:
- get
- apiGroups:
- onepassword.com
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch