1Password/onepassword-operator
1
0
Fork 0
mirror of https://github.com/1Password/onepassword-operator.git synced 2025-10-22 07:28:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add instructions how to use Operator with Service Accounts

Browse Source
This commit is contained in:
Volodymyr Zotov
2025-06-08 11:23:10 -05:00
parent ac06f8db13
commit 4baad12e10
1 changed files with 67 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
USAGEGUIDE.md
View File

@@ -5,9 +5,11 @@
## Table of Contents ## Table of Contents
- [Configuration Options](#configuration-options)
- [Prerequisites](#prerequisites) - [Prerequisites](#prerequisites)
- [Deploying 1Password Connect to Kubernetes](#deploying-1password-connect-to-kubernetes) - [Deploying 1Password Connect to Kubernetes](#deploying-1password-connect-to-kubernetes)
- [Kubernetes Operator Deployment](#kubernetes-operator-deployment) - [Kubernetes Operator Deployment With Connect](#kubernetes-operator-deployment-with-connect)
- [Kubernetes Operator Deployment With Service Account](#kubernetes-operator-deployment-with-service-account)
- [Usage](#usage) - [Usage](#usage)
- [Configuring Automatic Rolling Restarts of Deployments](#configuring-automatic-rolling-restarts-of-deployments) - [Configuring Automatic Rolling Restarts of Deployments](#configuring-automatic-rolling-restarts-of-deployments)
- [Development](#development) - [Development](#development)
@@ -19,6 +21,11 @@
- [`docker` installed](https://docs.docker.com/get-docker/) - [`docker` installed](https://docs.docker.com/get-docker/)
- [A `1password-credentials.json` file generated and a 1Password Connect API Token issued for the K8s Operator integration](https://developer.1password.com/docs/connect/get-started/#step-1-set-up-a-secrets-automation-workflow) - [A `1password-credentials.json` file generated and a 1Password Connect API Token issued for the K8s Operator integration](https://developer.1password.com/docs/connect/get-started/#step-1-set-up-a-secrets-automation-workflow)
## Configuration options
There are 2 ways 1Password Operator can talk to 1Password servers:
- **Connect**: It uses the 1Password Connect API to access items in 1Password.
- **Service Account**: It uses [1Password SDK](https://developer.1password.com/docs/sdks/) and [Service Account](https://developer.1password.com/docs/service-accounts) to access items in 1Password.
## Deploying 1Password Connect to Kubernetes ## Deploying 1Password Connect to Kubernetes
If 1Password Connect is already running, you can skip this step. If 1Password Connect is already running, you can skip this step.
@@ -60,7 +67,7 @@ Add the following environment variable to the onepassword-connect-operator conta
Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the current namespace. Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the current namespace.
### Kubernetes Operator Deployment ## Kubernetes Operator Deployment with Connect
#### Create Kubernetes Secret for OP_CONNECT_TOKEN #### #### Create Kubernetes Secret for OP_CONNECT_TOKEN ####
@@ -118,6 +125,64 @@ make deploy
make undeploy make undeploy
``` ```
## Kubernetes Operator Deployment with Service Account
#### Create Kubernetes Secret for OP_SERVICE_ACCOUNT_TOKEN ####
Create a Service Account token for the operator and save it as a Kubernetes Secret:
```bash
kubectl create secret generic onepassword-service-account-token --from-literal=token="$OP_SERVICE_ACCOUNT_TOKEN"
```
If you do not have a token for the operator, you can generate a token and save it to Kubernetes with the following command:
```bash
kubectl create secret generic onepassword-service-account-token --from-literal=token=$(op service-account create my-service-account --vault Dev:read_items --vault Test:read_items,write_items)
```
**Deploying the Operator**
An sample Deployment yaml can be found at `/config/manager/manager.yaml`.
To use Operator with Service Account, you need to set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable in the `/config/manager/manager.yaml`. And remove `OP_CONNECT_TOKEN` and `OP_CONNECT_HOST` environment variables.
To further configure the 1Password Kubernetes Operator the following Environment variables can be set in the operator yaml:
- **OP_SERVICE_ACCOUNT_TOKEN** *(required)*: Specifies Service Account token within Kubernetes to access the 1Password items.
- **WATCH_NAMESPACE:** *(default: watch all namespaces)*: Comma separated list of what Namespaces to watch for changes.
- **POLLING_INTERVAL** *(default: 600)*: The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password.
- **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
You can also set the logging level by setting `--zap-log-level` as an arg on the containers to either `debug`, `info` or `error`. (Note: the default value is `debug`.)
Example:
```yaml
.
.
.
containers:
- command:
- /manager
args:
- --leader-elect
- --zap-log-level=info
image: 1password/onepassword-operator:latest
.
.
.
```
To deploy the operator, simply run the following command:
```shell
make deploy
```
**Undeploy Operator**
```
make undeploy
```
## Usage ## Usage
To create a Kubernetes Secret from a 1Password item, create a yaml file with the following To create a Kubernetes Secret from a 1Password item, create a yaml file with the following