Moving operator code to a designated folder so that webhook work can also be included in this repo

2025-10-22 23:48:05 +00:00 · 2021-09-28 15:07:19 -03:00
parent d807e92c36
commit f974d3f398
50 changed files with 283 additions and 288 deletions
--- a/operator/Dockerfile
+++ b/operator/Dockerfile
@@ -0,0 +1,31 @@
+# Build the manager binary
+FROM golang:1.13 as builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# Copy the go source
+COPY operator/cmd/manager/main.go operator/main.go
+COPY operator/pkg/ operator/pkg/
+COPY operator/version/ operator/version/
+COPY vendor/ vendor/
+# Build
+ARG operator_version=dev
+RUN CGO_ENABLED=0 \
+    GO111MODULE=on \
+    go build \
+    -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \
+    -mod vendor \
+    -a -o manager operator/main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/manager .
+USER nonroot:nonroot
+COPY operator/deploy/connect/ operator/deploy/connect/
+
+ENTRYPOINT ["/manager"]
--- a/operator/README.md
+++ b/operator/README.md
@@ -0,0 +1,235 @@
+# 1Password Connect Kubernetes Operator
+
+The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes with 1Password. This Operator manages `OnePasswordItem` Custom Resource Definitions (CRDs) that define the location of an Item stored in 1Password. The `OnePasswordItem` CRD, when created, will be used to compose a Kubernetes Secret containing the contents of the specified item.
+
+The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Path on a deployment.
+
+The 1Password Connect Kubernetes Operator will continually check for updates from 1Password for any Kubernetes Secret that it has generated. If a Kubernetes Secret is updated, any Deployment using that secret can be automatically restarted.
+
+## Setup
+
+Prerequisites:
+
+- [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
+- [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+- [docker installed](https://docs.docker.com/get-docker/)
+- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.1password.com/secrets-automation/)
+- [1Password Connect deployed to Kubernetes](https://support.1password.com/connect-deploy-kubernetes/#step-2-deploy-a-1password-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
+
+### Quickstart for Deploying 1Password Connect to Kubernetes
+
+
+#### Deploy with Helm
+The 1Password Connect Helm Chart helps to simplify the deployment of 1Password Connect and the 1Password Connect Kubernetes Operator to Kubernetes. 
+
+[The 1Password Connect Helm Chart can be found here.](https://github.com/1Password/connect-helm-charts)
+
+#### Deploy using the Connect Operator
+If 1Password Connect is already running, you can skip this step. This guide will provide a quickstart option for deploying a default configuration of 1Password Connect via starting the deploying the 1Password Connect Operator, however it is recommended that you instead deploy your own manifest file if customization of the 1Password Connect deployment is desired.
+
+Encode the 1password-credentials.json file you generated in the prerequisite steps and save it to a file named op-session:
+
+```bash
+$ cat 1password-credentials.json | base64 | \
+  tr '/+' '_-' | tr -d '=' | tr -d '\n' > op-session
+```
+
+Create a Kubernetes secret from the op-session file:
+```bash
+
+$  kubectl create secret generic op-credentials --from-file=1password-credentials.json
+```
+
+Add the following environment variable to the onepassword-connect-operator container in `deploy/operator.yaml`:
+```yaml
+- name: MANAGE_CONNECT
+  value: "true"
+```
+Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the `default` namespace.
+### Kubernetes Operator Deployment
+
+**Create Kubernetes Secret for OP_CONNECT_TOKEN**
+
+"Create a Connect token for the operator and save it as a Kubernetes Secret: 
+
+```bash
+$ kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"
+```
+
+If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:
+```bash
+$ kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
+```
+
+[More information on generating a token can be found here](https://support.1password.com/secrets-automation/#appendix-issue-additional-access-tokens)
+
+**Set Permissions For Operator**
+
+We must create a service account, role, and role binding and Kubernetes. Examples can be found in the `/deploy` folder.
+
+```bash
+$ kubectl apply -f deploy/permissions.yaml
+```
+
+**Create Custom One Password Secret Resource**
+
+```bash
+$ kubectl apply -f deploy/crds/onepassword.com_onepassworditems_crd.yaml
+```
+
+**Deploying the Operator**
+
+An sample Deployment yaml can be found at `/deploy/operator.yaml`.
+
+
+To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:
+
+- **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
+- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
+- **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
+- **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
+- **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
+
+Apply the deployment file:
+
+```yaml
+kubectl apply -f deploy/operator.yaml
+```
+
+## Usage
+
+To create a Kubernetes Secret from a 1Password item, create a yaml file with the following
+
+```yaml
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: <item_name> #this name will also be used for naming the generated kubernetes secret
+spec:
+  itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>" 
+```
+
+Deploy the OnePasswordItem to Kubernetes:
+
+```bash
+$ kubectl apply -f <your_item>.yaml
+```
+
+To test that the Kubernetes Secret check that the following command returns a secret:
+
+```bash
+$ kubectl get secret <secret_name>
+```
+
+Note: Deleting the `OnePasswordItem` that you've created will automatically delete the created Kubernetes Secret.
+
+To create a single Kubernetes Secret for a deployment, add the following annotations to the deployment metadata:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-example
+  annotations:
+    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
+    operator.1password.io/item-name: "<secret_name>"
+```
+
+Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
+
+Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-path` and `operator.1password.io/item-name` and no other deployment is using the secret.
+
+If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag `operator.1password.io:ignore-secret` to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.
+
+---
+**NOTE**
+
+If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. 
+
+Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
+ - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
+ - All whitespaces between words will be replaced by `-`
+ - All the letters will be lower-cased.
+
+---
+
+### Configuring Automatic Rolling Restarts of Deployments
+
+If a 1Password Item that is linked to a Kubernetes Secret is updated, any deployments configured to `auto-restart` AND are using that secret will be given a rolling restart the next time 1Password Connect is polled for updates.
+
+There are many levels of granularity on which to configure auto restarts on deployments: at the operator level, per-namespace, or per-deployment.
+
+**On the operator**: This method allows for managing auto restarts on all deployments within the namespaces watched by operator. Auto restarts can be enabled by setting the environemnt variable  `AUTO_RESTART` to true. If the value is not set, the operator will default this value to false.
+
+**Per Namespace**: This method allows for managing auto restarts on all deployments within a namespace. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired namespace. An example of this is shown below:
+```yaml
+# enabled auto restarts for all deployments within a namespace unless overwritten within a deployment
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "example-namespace"
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the operator will be used. This value can be overwritten by deployment.
+
+**Per Deployment**
+This method allows for managing auto restarts on a given deployment. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired deployment. An example of this is shown below:
+```yaml
+# enabled auto restarts for the deployment
+apiVersion: v1
+kind: Deployment
+metadata:
+  name: "example-deployment"
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the namespace will be used.
+
+**Per OnePasswordItem Custom Resource**
+This method allows for managing auto restarts on a given OnePasswordItem custom resource. Auto restarts can by managed by setting the annotation `operator.1password.io/auto_restart` to either `true` or `false` on the desired OnePasswordItem. An example of this is shown below:
+```yaml
+# enabled auto restarts for the OnePasswordItem
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: example
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the deployment will be used.
+
+## Development
+
+### Creating a Docker image
+
+To create a local version of the Docker image for testing, use the following `Makefile` target:
+```shell
+make build/local
+```
+
+### Building the Operator binary
+```shell
+make build/binary
+```
+
+The binary will be placed inside a `dist` folder within this repository.
+
+### Running Tests
+
+```shell
+make test
+```
+
+With coverage:
+```shell
+make test/coverage
+```
+
+## Security
+
+1Password requests you practice responsible disclosure if you discover a vulnerability. 
+
+Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits). 
+
+For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
--- a/operator/cmd/manager/main.go
+++ b/operator/cmd/manager/main.go
@@ -0,0 +1,302 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"os"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/1Password/onepassword-operator/operator/pkg/controller"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"k8s.io/client-go/rest"
+
+	"github.com/1Password/onepassword-operator/operator/pkg/apis"
+	"github.com/1Password/onepassword-operator/operator/version"
+
+	"github.com/1Password/connect-sdk-go/connect"
+
+	"github.com/operator-framework/operator-sdk/pkg/k8sutil"
+	kubemetrics "github.com/operator-framework/operator-sdk/pkg/kube-metrics"
+	"github.com/operator-framework/operator-sdk/pkg/leader"
+	"github.com/operator-framework/operator-sdk/pkg/log/zap"
+	"github.com/operator-framework/operator-sdk/pkg/metrics"
+	sdkVersion "github.com/operator-framework/operator-sdk/version"
+	"github.com/spf13/pflag"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+)
+
+const envPollingIntervalVariable = "POLLING_INTERVAL"
+const manageConnect = "MANAGE_CONNECT"
+const restartDeploymentsEnvVariable = "AUTO_RESTART"
+const defaultPollingInterval = 600
+
+// Change below variables to serve metrics on different host or port.
+var (
+	metricsHost               = "0.0.0.0"
+	metricsPort         int32 = 8383
+	operatorMetricsPort int32 = 8686
+)
+var log = logf.Log.WithName("cmd")
+
+func printVersion() {
+	log.Info(fmt.Sprintf("Operator Version: %s", version.Version))
+	log.Info(fmt.Sprintf("Go Version: %s", runtime.Version()))
+	log.Info(fmt.Sprintf("Go OS/Arch: %s/%s", runtime.GOOS, runtime.GOARCH))
+	log.Info(fmt.Sprintf("Version of operator-sdk: %v", sdkVersion.Version))
+}
+
+func main() {
+	// Add the zap logger flag set to the CLI. The flag set must
+	// be added before calling pflag.Parse().
+	pflag.CommandLine.AddFlagSet(zap.FlagSet())
+
+	// Add flags registered by imported packages (e.g. glog and
+	// controller-runtime)
+	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+
+	pflag.Parse()
+
+	// Use a zap logr.Logger implementation. If none of the zap
+	// flags are configured (or if the zap flag set is not being
+	// used), this defaults to a production zap logger.
+	//
+	// The logger instantiated here can be changed to any logger
+	// implementing the logr.Logger interface. This logger will
+	// be propagated through the whole operator, generating
+	// uniform and structured logs.
+	logf.SetLogger(zap.Logger())
+
+	printVersion()
+
+	namespace := os.Getenv(k8sutil.WatchNamespaceEnvVar)
+
+	deploymentNamespace, err := k8sutil.GetOperatorNamespace()
+	if err != nil {
+		log.Error(err, "Failed to get namespace")
+		os.Exit(1)
+	}
+
+	// Get a config to talk to the apiserver
+	cfg, err := config.GetConfig()
+	if err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	ctx := context.Background()
+	// Become the leader before proceeding
+	err = leader.Become(ctx, "onepassword-connect-operator-lock")
+	if err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	// Set default manager options
+	options := manager.Options{
+		Namespace:          namespace,
+		MetricsBindAddress: fmt.Sprintf("%s:%d", metricsHost, metricsPort),
+	}
+
+	// Add support for MultiNamespace set in WATCH_NAMESPACE (e.g ns1,ns2)
+	// Note that this is not intended to be used for excluding namespaces, this is better done via a Predicate
+	// Also note that you may face performance issues when using this with a high number of namespaces.
+	if strings.Contains(namespace, ",") {
+		options.Namespace = ""
+		options.NewCache = cache.MultiNamespacedCacheBuilder(strings.Split(namespace, ","))
+	}
+
+	// Create a new manager to provide shared dependencies and start components
+	mgr, err := manager.New(cfg, options)
+	if err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	log.Info("Registering Components.")
+
+	// Setup Scheme for all resources
+	if err := apis.AddToScheme(mgr.GetScheme()); err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	//Setup 1PasswordConnect
+	if shouldManageConnect() {
+		log.Info("Automated Connect Management Enabled")
+		go func() {
+			connectStarted := false
+			for connectStarted == false {
+				err := op.SetupConnect(mgr.GetClient(), deploymentNamespace)
+				// Cache Not Started is an acceptable error. Retry until cache is started.
+				if err != nil && !errors.Is(err, &cache.ErrCacheNotStarted{}) {
+					log.Error(err, "")
+					os.Exit(1)
+				}
+				if err == nil {
+					connectStarted = true
+				}
+			}
+		}()
+	} else {
+		log.Info("Automated Connect Management Disabled")
+	}
+
+	// Setup One Password Client
+	opConnectClient, err := connect.NewClientFromEnvironment()
+
+	if err := controller.AddToManager(mgr, opConnectClient); err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	// Add the Metrics Service
+	addMetrics(ctx, cfg)
+
+	// Setup update secrets task
+	updatedSecretsPoller := op.NewManager(mgr.GetClient(), opConnectClient, shouldAutoRestartDeployments())
+	done := make(chan bool)
+	ticker := time.NewTicker(getPollingIntervalForUpdatingSecrets())
+	go func() {
+		for {
+			select {
+			case <-done:
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				updatedSecretsPoller.UpdateKubernetesSecretsTask()
+			}
+		}
+	}()
+
+	// Start the Cmd
+	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
+		log.Error(err, "Manager exited non-zero")
+		done <- true
+		os.Exit(1)
+	}
+}
+
+// addMetrics will create the Services and Service Monitors to allow the operator export the metrics by using
+// the Prometheus operator
+func addMetrics(ctx context.Context, cfg *rest.Config) {
+	// Get the namespace the operator is currently deployed in.
+	operatorNs, err := k8sutil.GetOperatorNamespace()
+	if err != nil {
+		if errors.Is(err, k8sutil.ErrRunLocal) {
+			log.Info("Skipping CR metrics server creation; not running in a cluster.")
+			return
+		}
+	}
+
+	if err := serveCRMetrics(cfg, operatorNs); err != nil {
+		log.Info("Could not generate and serve custom resource metrics", "error", err.Error())
+	}
+
+	// Add to the below struct any other metrics ports you want to expose.
+	servicePorts := []v1.ServicePort{
+		{Port: metricsPort, Name: metrics.OperatorPortName, Protocol: v1.ProtocolTCP, TargetPort: intstr.IntOrString{Type: intstr.Int, IntVal: metricsPort}},
+		{Port: operatorMetricsPort, Name: metrics.CRPortName, Protocol: v1.ProtocolTCP, TargetPort: intstr.IntOrString{Type: intstr.Int, IntVal: operatorMetricsPort}},
+	}
+
+	// Create Service object to expose the metrics port(s).
+	service, err := metrics.CreateMetricsService(ctx, cfg, servicePorts)
+	if err != nil {
+		log.Info("Could not create metrics Service", "error", err.Error())
+	}
+
+	// CreateServiceMonitors will automatically create the prometheus-operator ServiceMonitor resources
+	// necessary to configure Prometheus to scrape metrics from this operator.
+	services := []*v1.Service{service}
+
+	// The ServiceMonitor is created in the same namespace where the operator is deployed
+	_, err = metrics.CreateServiceMonitors(cfg, operatorNs, services)
+	if err != nil {
+		log.Info("Could not create ServiceMonitor object", "error", err.Error())
+		// If this operator is deployed to a cluster without the prometheus-operator running, it will return
+		// ErrServiceMonitorNotPresent, which can be used to safely skip ServiceMonitor creation.
+		if err == metrics.ErrServiceMonitorNotPresent {
+			log.Info("Install prometheus-operator in your cluster to create ServiceMonitor objects", "error", err.Error())
+		}
+	}
+}
+
+// serveCRMetrics gets the Operator/CustomResource GVKs and generates metrics based on those types.
+// It serves those metrics on "http://metricsHost:operatorMetricsPort".
+func serveCRMetrics(cfg *rest.Config, operatorNs string) error {
+	// The function below returns a list of filtered operator/CR specific GVKs. For more control, override the GVK list below
+	// with your own custom logic. Note that if you are adding third party API schemas, probably you will need to
+	// customize this implementation to avoid permissions issues.
+	filteredGVK, err := k8sutil.GetGVKsFromAddToScheme(apis.AddToScheme)
+	if err != nil {
+		return err
+	}
+
+	// The metrics will be generated from the namespaces which are returned here.
+	// NOTE that passing nil or an empty list of namespaces in GenerateAndServeCRMetrics will result in an error.
+	ns, err := kubemetrics.GetNamespacesForMetrics(operatorNs)
+	if err != nil {
+		return err
+	}
+
+	// Generate and serve custom resource specific metrics.
+	err = kubemetrics.GenerateAndServeCRMetrics(cfg, ns, filteredGVK, metricsHost, operatorMetricsPort)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func getPollingIntervalForUpdatingSecrets() time.Duration {
+	timeInSecondsString, found := os.LookupEnv(envPollingIntervalVariable)
+	if found {
+		timeInSeconds, err := strconv.Atoi(timeInSecondsString)
+		if err == nil {
+			return time.Duration(timeInSeconds) * time.Second
+		}
+		log.Info("Invalid value set for polling interval. Must be a valid integer.")
+	}
+
+	log.Info(fmt.Sprintf("Using default polling interval of %v seconds", defaultPollingInterval))
+	return time.Duration(defaultPollingInterval) * time.Second
+}
+
+func shouldManageConnect() bool {
+	shouldManageConnect, found := os.LookupEnv(manageConnect)
+	if found {
+		shouldManageConnectBool, err := strconv.ParseBool(strings.ToLower(shouldManageConnect))
+		if err != nil {
+			log.Error(err, "")
+			os.Exit(1)
+		}
+		return shouldManageConnectBool
+	}
+	return false
+}
+
+func shouldAutoRestartDeployments() bool {
+	shouldAutoRestartDeployments, found := os.LookupEnv(restartDeploymentsEnvVariable)
+	if found {
+		shouldAutoRestartDeploymentsBool, err := strconv.ParseBool(strings.ToLower(shouldAutoRestartDeployments))
+		if err != nil {
+			log.Error(err, "")
+			os.Exit(1)
+		}
+		return shouldAutoRestartDeploymentsBool
+	}
+	return false
+}
--- a/operator/deploy/connect/deployment.yaml
+++ b/operator/deploy/connect/deployment.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: onepassword-connect
+spec:
+  selector:
+    matchLabels:
+      app: onepassword-connect
+  template:
+    metadata:
+      labels:
+        app: onepassword-connect
+        version: "1.0.0"
+    spec:
+      volumes:
+        - name: shared-data
+          emptyDir: {}
+        - name: credentials
+          secret:
+            secretName: op-credentials
+      initContainers:
+        - name: sqlite-permissions
+          image: alpine:3.12
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - "mkdir -p /home/opuser/.op/data && chown -R 999 /home/opuser && chmod -R 700 /home/opuser && chmod -f -R 600 /home/opuser/.op/config || :"
+          volumeMounts:
+            - mountPath: /home/opuser/.op/data
+              name: shared-data
+      containers:
+        - name: connect-api
+          image: 1password/connect-api:latest
+          resources:
+            limits:
+              memory: "128Mi"
+              cpu: "0.2"
+          ports:
+            - containerPort: 8080
+          env:
+            - name: OP_SESSION
+              valueFrom:
+                secretKeyRef:
+                  name: op-credentials
+                  key: op-session
+          volumeMounts:
+            - mountPath: /home/opuser/.op/data
+              name: shared-data
+        - name: connect-sync
+          image: 1password/connect-sync:latest
+          resources:
+            limits:
+              memory: "128Mi"
+              cpu: "0.2"
+          ports:
+            - containerPort: 8081
+          env:
+            - name: OP_HTTP_PORT
+              value: "8081"
+            - name: OP_SESSION
+              valueFrom:
+                secretKeyRef:
+                  name: op-credentials
+                  key: op-session
+          volumeMounts:
+            - mountPath: /home/opuser/.op/data
+              name: shared-data
--- a/operator/deploy/connect/service.yaml
+++ b/operator/deploy/connect/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: onepassword-connect
+spec:
+  type: NodePort
+  selector:
+    app: onepassword-connect
+  ports:
+    - port: 8080
+      name: connect-api
+      nodePort: 31080
+    - port: 8081
+      name: connect-sync
+      nodePort: 31081
--- a/operator/deploy/crds/onepassword.com_onepassworditems_crd.yaml
+++ b/operator/deploy/crds/onepassword.com_onepassworditems_crd.yaml
@@ -0,0 +1,42 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: onepassworditems.onepassword.com
+spec:
+  group: onepassword.com
+  names:
+    kind: OnePasswordItem
+    listKind: OnePasswordItemList
+    plural: onepassworditems
+    singular: onepassworditem
+  scope: Namespaced
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        description: OnePasswordItem is the Schema for the onepassworditems API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OnePasswordItemSpec defines the desired state of OnePasswordItem
+            properties:
+              itemPath:
+                type: string
+            type: object
+          status:
+            description: OnePasswordItemStatus defines the observed state of OnePasswordItem
+            type: object
+        type: object
--- a/operator/deploy/crds/onepassword.com_v1_onepassworditem_cr.yaml
+++ b/operator/deploy/crds/onepassword.com_v1_onepassworditem_cr.yaml
@@ -0,0 +1,6 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: example
+spec:
+  itemPath: "vaults/<vault_id>/items/<item_id>"
--- a/operator/deploy/operator.yaml
+++ b/operator/deploy/operator.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: onepassword-connect-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: onepassword-connect-operator
+  template:
+    metadata:
+      labels:
+        name: onepassword-connect-operator
+    spec:
+      serviceAccountName: onepassword-connect-operator
+      containers:
+        - name: onepassword-connect-operator
+          image: 1password/onepassword-operator
+          command: ["/manager"]
+          env:
+            - name: WATCH_NAMESPACE
+              value: "default"
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: "onepassword-connect-operator"
+            - name: OP_CONNECT_HOST
+              value: "http://onepassword-connect:8080"
+            - name: POLLING_INTERVAL
+              value: "10"
+            - name: OP_CONNECT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: onepassword-token
+                  key: token
+            - name: AUTO_RESTART
+              value: "false"
--- a/operator/deploy/operator_multi_namespace_example.yaml
+++ b/operator/deploy/operator_multi_namespace_example.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: onepassword-connect-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: onepassword-connect-operator
+  template:
+    metadata:
+      labels:
+        name: onepassword-connect-operator
+    spec:
+      serviceAccountName: onepassword-connect-operator
+      containers:
+        - name: onepassword-connect-operator
+          image: 1password/onepassword-operator
+          command: ["/manager"]
+          env:
+            - name: WATCH_NAMESPACE
+              value: "default,development"
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: "onepassword-connect-operator"
+            - name: OP_CONNECT_HOST
+              value: "http://onepassword-connect:8080"
+            - name: POLLING_INTERVAL
+              value: "10"
+            - name: OP_CONNECT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: onepassword-token
+                  key: token
+            - name: AUTO_RESTART
+              value: "false"
--- a/operator/deploy/permissions.yaml
+++ b/operator/deploy/permissions.yaml
@@ -0,0 +1,100 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: onepassword-connect-operator
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: onepassword-connect-operator-default
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: onepassword-connect-operator
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: onepassword-connect-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: onepassword-connect-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - services/finalizers
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  - namespaces
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - apps
+  resourceNames:
+  - onepassword-connect-operator
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  - deployments
+  verbs:
+  - get
+- apiGroups:
+  - onepassword.com
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
--- a/operator/deploy/permissions_multi_namespace_example.yaml
+++ b/operator/deploy/permissions_multi_namespace_example.yaml
@@ -0,0 +1,114 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: onepassword-connect-operator
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: onepassword-connect-operator-default
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: onepassword-connect-operator
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: onepassword-connect-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: onepassword-connect-operator-development
+  namespace: development
+subjects:
+- kind: ServiceAccount
+  name: onepassword-connect-operator
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: onepassword-connect-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: onepassword-connect-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - services/finalizers
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  - namespaces
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - apps
+  resourceNames:
+  - onepassword-connect-operator
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  - deployments
+  verbs:
+  - get
+- apiGroups:
+  - onepassword.com
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
--- a/operator/pkg/apis/addtoscheme_onepassword_v1.go
+++ b/operator/pkg/apis/addtoscheme_onepassword_v1.go
@@ -0,0 +1,10 @@
+package apis
+
+import (
+	v1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+)
+
+func init() {
+	// Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+	AddToSchemes = append(AddToSchemes, v1.SchemeBuilder.AddToScheme)
+}
--- a/operator/pkg/apis/apis.go
+++ b/operator/pkg/apis/apis.go
@@ -0,0 +1,13 @@
+package apis
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// AddToSchemes may be used to add all resources defined in the project to a Scheme
+var AddToSchemes runtime.SchemeBuilder
+
+// AddToScheme adds all Resources to the Scheme
+func AddToScheme(s *runtime.Scheme) error {
+	return AddToSchemes.AddToScheme(s)
+}
--- a/operator/pkg/apis/onepassword/group.go
+++ b/operator/pkg/apis/onepassword/group.go
@@ -0,0 +1,6 @@
+// Package onepassword contains onepassword API versions.
+//
+// This file ensures Go source parsers acknowledge the onepassword package
+// and any child packages. It can be removed if any other Go source files are
+// added to this package.
+package onepassword
--- a/operator/pkg/apis/onepassword/v1/doc.go
+++ b/operator/pkg/apis/onepassword/v1/doc.go
@@ -0,0 +1,4 @@
+// Package v1 contains API Schema definitions for the onepassword v1 API group
+// +k8s:deepcopy-gen=package,register
+// +groupName=onepassword.com
+package v1
--- a/operator/pkg/apis/onepassword/v1/onepasswordsecret_types.go
+++ b/operator/pkg/apis/onepassword/v1/onepasswordsecret_types.go
@@ -0,0 +1,45 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// OnePasswordItemSpec defines the desired state of OnePasswordItem
+type OnePasswordItemSpec struct {
+	ItemPath string `json:"itemPath,omitempty"`
+}
+
+// OnePasswordItemStatus defines the observed state of OnePasswordItem
+type OnePasswordItemStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
+	// Add custom validation using kubebuilder tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OnePasswordItem is the Schema for the onepassworditems API
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=onepassworditems,scope=Namespaced
+type OnePasswordItem struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   OnePasswordItemSpec   `json:"spec,omitempty"`
+	Status OnePasswordItemStatus `json:"status,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OnePasswordItemList contains a list of OnePasswordItem
+type OnePasswordItemList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []OnePasswordItem `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&OnePasswordItem{}, &OnePasswordItemList{})
+}
--- a/operator/pkg/apis/onepassword/v1/register.go
+++ b/operator/pkg/apis/onepassword/v1/register.go
@@ -0,0 +1,19 @@
+// NOTE: Boilerplate only.  Ignore this file.
+
+// Package v1 contains API Schema definitions for the onepassword v1 API group
+// +k8s:deepcopy-gen=package,register
+// +groupName=onepassword.com
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// SchemeGroupVersion is group version used to register these objects
+	SchemeGroupVersion = schema.GroupVersion{Group: "onepassword.com", Version: "v1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+)
--- a/operator/pkg/apis/onepassword/v1/zz_generated.deepcopy.go
+++ b/operator/pkg/apis/onepassword/v1/zz_generated.deepcopy.go
@@ -0,0 +1,102 @@
+// +build !ignore_autogenerated
+
+// Code generated by operator-sdk. DO NOT EDIT.
+
+package v1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnePasswordItem) DeepCopyInto(out *OnePasswordItem) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordItem.
+func (in *OnePasswordItem) DeepCopy() *OnePasswordItem {
+	if in == nil {
+		return nil
+	}
+	out := new(OnePasswordItem)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OnePasswordItem) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnePasswordItemList) DeepCopyInto(out *OnePasswordItemList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OnePasswordItem, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordItemList.
+func (in *OnePasswordItemList) DeepCopy() *OnePasswordItemList {
+	if in == nil {
+		return nil
+	}
+	out := new(OnePasswordItemList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OnePasswordItemList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnePasswordItemSpec) DeepCopyInto(out *OnePasswordItemSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordItemSpec.
+func (in *OnePasswordItemSpec) DeepCopy() *OnePasswordItemSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OnePasswordItemSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnePasswordItemStatus) DeepCopyInto(out *OnePasswordItemStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordItemStatus.
+func (in *OnePasswordItemStatus) DeepCopy() *OnePasswordItemStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OnePasswordItemStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/operator/pkg/controller/add_deployment.go
+++ b/operator/pkg/controller/add_deployment.go
@@ -0,0 +1,10 @@
+package controller
+
+import (
+	"github.com/1Password/onepassword-operator/operator/pkg/controller/deployment"
+)
+
+func init() {
+	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
+	AddToManagerFuncs = append(AddToManagerFuncs, deployment.Add)
+}
--- a/operator/pkg/controller/add_onepassworditem.go
+++ b/operator/pkg/controller/add_onepassworditem.go
@@ -0,0 +1,10 @@
+package controller
+
+import (
+	"github.com/1Password/onepassword-operator/operator/pkg/controller/onepassworditem"
+)
+
+func init() {
+	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
+	AddToManagerFuncs = append(AddToManagerFuncs, onepassworditem.Add)
+}
--- a/operator/pkg/controller/controller.go
+++ b/operator/pkg/controller/controller.go
@@ -0,0 +1,19 @@
+package controller
+
+import (
+	"github.com/1Password/connect-sdk-go/connect"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+)
+
+// AddToManagerFuncs is a list of functions to add all Controllers to the Manager
+var AddToManagerFuncs []func(manager.Manager, connect.Client) error
+
+// AddToManager adds all Controllers to the Manager
+func AddToManager(m manager.Manager, opConnectClient connect.Client) error {
+	for _, f := range AddToManagerFuncs {
+		if err := f(m, opConnectClient); err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/operator/pkg/controller/deployment/deployment_controller.go
+++ b/operator/pkg/controller/deployment/deployment_controller.go
@@ -0,0 +1,206 @@
+package deployment
+
+import (
+	"context"
+	"fmt"
+
+	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+
+	"regexp"
+
+	"github.com/1Password/connect-sdk-go/connect"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+var log = logf.Log.WithName("controller_deployment")
+var finalizer = "onepassword.com/finalizer.secret"
+
+const annotationRegExpString = "^operator.1password.io\\/[a-zA-Z\\.]+"
+
+func Add(mgr manager.Manager, opConnectClient connect.Client) error {
+	return add(mgr, newReconciler(mgr, opConnectClient))
+}
+
+func newReconciler(mgr manager.Manager, opConnectClient connect.Client) *ReconcileDeployment {
+	r, _ := regexp.Compile(annotationRegExpString)
+	return &ReconcileDeployment{
+		opAnnotationRegExp: r,
+		kubeClient:         mgr.GetClient(),
+		scheme:             mgr.GetScheme(),
+		opConnectClient:    opConnectClient,
+	}
+}
+
+func add(mgr manager.Manager, r reconcile.Reconciler) error {
+	c, err := controller.New("deployment-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to primary resource Deployment
+	err = c.Watch(&source.Kind{Type: &appsv1.Deployment{}}, &handler.EnqueueRequestForObject{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+var _ reconcile.Reconciler = &ReconcileDeployment{}
+
+type ReconcileDeployment struct {
+	opAnnotationRegExp *regexp.Regexp
+	kubeClient         client.Client
+	scheme             *runtime.Scheme
+	opConnectClient    connect.Client
+}
+
+func (r *ReconcileDeployment) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&appsv1.Deployment{}).
+		Complete(r)
+}
+
+func (r *ReconcileDeployment) test() {
+	return
+}
+
+// Reconcile reads that state of the cluster for a Deployment object and makes changes based on the state read
+// and what is in the Deployment.Spec
+// Note:
+// The Controller will requeue the Request to be processed again if the returned error is non-nil or
+// Result.Requeue is true, otherwise upon completion it will remove the work from the queue.
+func (r *ReconcileDeployment) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	ctx := context.Background()
+	reqLogger := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
+	reqLogger.Info("Reconciling Deployment")
+
+	deployment := &appsv1.Deployment{}
+	err := r.kubeClient.Get(ctx, request.NamespacedName, deployment)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return reconcile.Result{}, nil
+		}
+		return reconcile.Result{}, err
+	}
+
+	annotations, annotationsFound := op.GetAnnotationsForDeployment(deployment, r.opAnnotationRegExp)
+	if !annotationsFound {
+		reqLogger.Info("No 1Password Annotations found")
+		return reconcile.Result{}, nil
+	}
+
+	//If the deployment is not being deleted
+	if deployment.ObjectMeta.DeletionTimestamp.IsZero() {
+		// Adds a finalizer to the deployment if one does not exist.
+		// This is so we can handle cleanup of associated secrets properly
+		if !utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {
+			deployment.ObjectMeta.Finalizers = append(deployment.ObjectMeta.Finalizers, finalizer)
+			if err := r.kubeClient.Update(context.Background(), deployment); err != nil {
+				return reconcile.Result{}, err
+			}
+		}
+		// Handles creation or updating secrets for deployment if needed
+		if err := r.HandleApplyingDeployment(deployment.Namespace, annotations, request); err != nil {
+			return reconcile.Result{}, err
+		}
+		return reconcile.Result{}, nil
+	}
+	// The deployment has been marked for deletion. If the one password
+	// finalizer is found there are cleanup tasks to perform
+	if utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {
+
+		secretName := annotations[op.NameAnnotation]
+		r.cleanupKubernetesSecretForDeployment(secretName, deployment)
+
+		// Remove the finalizer from the deployment so deletion of deployment can be completed
+		if err := r.removeOnePasswordFinalizerFromDeployment(deployment); err != nil {
+			return reconcile.Result{}, err
+		}
+	}
+	return reconcile.Result{}, nil
+}
+
+func (r *ReconcileDeployment) cleanupKubernetesSecretForDeployment(secretName string, deletedDeployment *appsv1.Deployment) error {
+	kubernetesSecret := &corev1.Secret{}
+	kubernetesSecret.ObjectMeta.Name = secretName
+	kubernetesSecret.ObjectMeta.Namespace = deletedDeployment.Namespace
+
+	if len(secretName) == 0 {
+		return nil
+	}
+	updatedSecrets := map[string]*corev1.Secret{secretName: kubernetesSecret}
+
+	multipleDeploymentsUsingSecret, err := r.areMultipleDeploymentsUsingSecret(updatedSecrets, *deletedDeployment)
+	if err != nil {
+		return err
+	}
+
+	// Only delete the associated kubernetes secret if it is not being used by other deployments
+	if !multipleDeploymentsUsingSecret {
+		if err := r.kubeClient.Delete(context.Background(), kubernetesSecret); err != nil {
+			if !errors.IsNotFound(err) {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (r *ReconcileDeployment) areMultipleDeploymentsUsingSecret(updatedSecrets map[string]*corev1.Secret, deletedDeployment appsv1.Deployment) (bool, error) {
+	deployments := &appsv1.DeploymentList{}
+	opts := []client.ListOption{
+		client.InNamespace(deletedDeployment.Namespace),
+	}
+
+	err := r.kubeClient.List(context.Background(), deployments, opts...)
+	if err != nil {
+		log.Error(err, "Failed to list kubernetes deployments")
+		return false, err
+	}
+
+	for i := 0; i < len(deployments.Items); i++ {
+		if deployments.Items[i].Name != deletedDeployment.Name {
+			if op.IsDeploymentUsingSecrets(&deployments.Items[i], updatedSecrets) {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
+
+func (r *ReconcileDeployment) removeOnePasswordFinalizerFromDeployment(deployment *appsv1.Deployment) error {
+	deployment.ObjectMeta.Finalizers = utils.RemoveString(deployment.ObjectMeta.Finalizers, finalizer)
+	return r.kubeClient.Update(context.Background(), deployment)
+}
+
+func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotations map[string]string, request reconcile.Request) error {
+	reqLog := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
+
+	secretName := annotations[op.NameAnnotation]
+	secretLabels := map[string]string(nil)
+	if len(secretName) == 0 {
+		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
+		return nil
+	}
+
+	item, err := op.GetOnePasswordItemByPath(r.opConnectClient, annotations[op.ItemPathAnnotation])
+	if err != nil {
+		return fmt.Errorf("Failed to retrieve item: %v", err)
+	}
+
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, annotations)
+}
--- a/operator/pkg/controller/deployment/deployment_controller_test.go
+++ b/operator/pkg/controller/deployment/deployment_controller_test.go
@@ -0,0 +1,480 @@
+package deployment
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"testing"
+
+	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	errors2 "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubectl/pkg/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+const (
+	deploymentKind       = "Deployment"
+	deploymentAPIVersion = "v1"
+	name                 = "test-deployment"
+	namespace            = "default"
+	vaultId              = "hfnjvi6aymbsnfc2xeeoheizda"
+	itemId               = "nwrhuano7bcwddcviubpp4mhfq"
+	username             = "test-user"
+	password             = "QmHumKc$mUeEem7caHtbaBaJ"
+	userKey              = "username"
+	passKey              = "password"
+	version              = 123
+)
+
+type testReconcileItem struct {
+	testName             string
+	deploymentResource   *appsv1.Deployment
+	existingSecret       *corev1.Secret
+	expectedError        error
+	expectedResultSecret *corev1.Secret
+	expectedEvents       []string
+	opItem               map[string]string
+	existingDeployment   *appsv1.Deployment
+}
+
+var (
+	expectedSecretData = map[string][]byte{
+		"password": []byte(password),
+		"username": []byte(username),
+	}
+	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+)
+
+var (
+	time     = metav1.Now()
+	regex, _ = regexp.Compile(annotationRegExpString)
+)
+
+var tests = []testReconcileItem{
+	{
+		testName: "Test Delete Deployment where secret is being used in another deployment's volumes",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              name,
+				Namespace:         namespace,
+				DeletionTimestamp: &time,
+				Finalizers: []string{
+					finalizer,
+				},
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "another-deployment",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Volumes: []corev1.Volume{
+							{
+								Name: name,
+								VolumeSource: corev1.VolumeSource{
+									Secret: &corev1.SecretVolumeSource{
+										SecretName: name,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Test Delete Deployment where secret is being used in another deployment's container",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              name,
+				Namespace:         namespace,
+				DeletionTimestamp: &time,
+				Finalizers: []string{
+					finalizer,
+				},
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "another-deployment",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Test Delete Deployment",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              name,
+				Namespace:         namespace,
+				DeletionTimestamp: &time,
+				Finalizers: []string{
+					finalizer,
+				},
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError:        nil,
+		expectedResultSecret: nil,
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Test Do not update if Annotations have not changed",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+				Labels: map[string]string{},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+				Labels: map[string]string(nil),
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: "data we don't expect to have updated",
+			passKey: "data we don't expect to have updated",
+		},
+	},
+	{
+		testName: "Test Updating Existing Kubernetes Secret using Deployment",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: "456",
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Create Deployment",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+}
+
+func TestReconcileDepoyment(t *testing.T) {
+	for _, testData := range tests {
+		t.Run(testData.testName, func(t *testing.T) {
+
+			// Register operator types with the runtime scheme.
+			s := scheme.Scheme
+			s.AddKnownTypes(appsv1.SchemeGroupVersion, testData.deploymentResource)
+
+			// Objects to track in the fake client.
+			objs := []runtime.Object{
+				testData.deploymentResource,
+			}
+
+			if testData.existingSecret != nil {
+				objs = append(objs, testData.existingSecret)
+			}
+
+			if testData.existingDeployment != nil {
+				objs = append(objs, testData.existingDeployment)
+			}
+
+			// Create a fake client to mock API calls.
+			cl := fake.NewFakeClientWithScheme(s, objs...)
+			// Create a Deployment object with the scheme and mock  kubernetes
+			// and 1Password Connect client.
+
+			opConnectClient := &mocks.TestClient{}
+			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
+
+				item := onepassword.Item{}
+				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
+				item.Version = version
+				item.Vault.ID = vaultUUID
+				item.ID = uuid
+				return &item, nil
+			}
+			r := &ReconcileDeployment{
+				kubeClient:         cl,
+				scheme:             s,
+				opConnectClient:    opConnectClient,
+				opAnnotationRegExp: regex,
+			}
+
+			// Mock request to simulate Reconcile() being called on an event for a
+			// watched resource .
+			req := reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Name:      name,
+					Namespace: namespace,
+				},
+			}
+			_, err := r.Reconcile(req)
+
+			assert.Equal(t, testData.expectedError, err)
+
+			var expectedSecretName string
+			if testData.expectedResultSecret == nil {
+				expectedSecretName = testData.deploymentResource.Name
+			} else {
+				expectedSecretName = testData.expectedResultSecret.Name
+			}
+
+			// Check if Secret has been created and has the correct data
+			secret := &corev1.Secret{}
+			err = cl.Get(context.TODO(), types.NamespacedName{Name: expectedSecretName, Namespace: namespace}, secret)
+
+			if testData.expectedResultSecret == nil {
+				assert.Error(t, err)
+				assert.True(t, errors2.IsNotFound(err))
+			} else {
+				assert.Equal(t, testData.expectedResultSecret.Data, secret.Data)
+				assert.Equal(t, testData.expectedResultSecret.Name, secret.Name)
+				assert.Equal(t, testData.expectedResultSecret.Type, secret.Type)
+				assert.Equal(t, testData.expectedResultSecret.Annotations[op.VersionAnnotation], secret.Annotations[op.VersionAnnotation])
+
+				updatedCR := &appsv1.Deployment{}
+				err = cl.Get(context.TODO(), req.NamespacedName, updatedCR)
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func generateFields(username, password string) []*onepassword.ItemField {
+	fields := []*onepassword.ItemField{
+		{
+			Label: "username",
+			Value: username,
+		},
+		{
+			Label: "password",
+			Value: password,
+		},
+	}
+	return fields
+}
--- a/operator/pkg/controller/onepassworditem/onepassworditem_controller.go
+++ b/operator/pkg/controller/onepassworditem/onepassworditem_controller.go
@@ -0,0 +1,157 @@
+package onepassworditem
+
+import (
+	"context"
+	"fmt"
+
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
+	"github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+
+	"github.com/1Password/connect-sdk-go/connect"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	kubeClient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+var log = logf.Log.WithName("controller_onepassworditem")
+var finalizer = "onepassword.com/finalizer.secret"
+
+func Add(mgr manager.Manager, opConnectClient connect.Client) error {
+	return add(mgr, newReconciler(mgr, opConnectClient))
+}
+
+func newReconciler(mgr manager.Manager, opConnectClient connect.Client) *ReconcileOnePasswordItem {
+	return &ReconcileOnePasswordItem{
+		kubeClient:      mgr.GetClient(),
+		scheme:          mgr.GetScheme(),
+		opConnectClient: opConnectClient,
+	}
+}
+
+func add(mgr manager.Manager, r reconcile.Reconciler) error {
+	c, err := controller.New("onepassworditem-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to primary resource OnePasswordItem
+	err = c.Watch(&source.Kind{Type: &onepasswordv1.OnePasswordItem{}}, &handler.EnqueueRequestForObject{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+var _ reconcile.Reconciler = &ReconcileOnePasswordItem{}
+
+type ReconcileOnePasswordItem struct {
+	kubeClient      kubeClient.Client
+	scheme          *runtime.Scheme
+	opConnectClient connect.Client
+}
+
+func (r *ReconcileOnePasswordItem) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&onepasswordv1.OnePasswordItem{}).
+		Complete(r)
+}
+
+func (r *ReconcileOnePasswordItem) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	reqLogger := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
+	reqLogger.Info("Reconciling OnePasswordItem")
+
+	onepassworditem := &onepasswordv1.OnePasswordItem{}
+	err := r.kubeClient.Get(context.Background(), request.NamespacedName, onepassworditem)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return reconcile.Result{}, nil
+		}
+		return reconcile.Result{}, err
+	}
+
+	// If the deployment is not being deleted
+	if onepassworditem.ObjectMeta.DeletionTimestamp.IsZero() {
+		// Adds a finalizer to the deployment if one does not exist.
+		// This is so we can handle cleanup of associated secrets properly
+		if !utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) {
+			onepassworditem.ObjectMeta.Finalizers = append(onepassworditem.ObjectMeta.Finalizers, finalizer)
+			if err := r.kubeClient.Update(context.Background(), onepassworditem); err != nil {
+				return reconcile.Result{}, err
+			}
+		}
+
+		// Handles creation or updating secrets for deployment if needed
+		if err := r.HandleOnePasswordItem(onepassworditem, request); err != nil {
+			return reconcile.Result{}, err
+		}
+		return reconcile.Result{}, nil
+	}
+	// If one password finalizer exists then we must cleanup associated secrets
+	if utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) {
+
+		// Delete associated kubernetes secret
+		if err = r.cleanupKubernetesSecret(onepassworditem); err != nil {
+			return reconcile.Result{}, err
+		}
+
+		// Remove finalizer now that cleanup is complete
+		if err := r.removeFinalizer(onepassworditem); err != nil {
+			return reconcile.Result{}, err
+		}
+	}
+	return reconcile.Result{}, nil
+}
+
+func (r *ReconcileOnePasswordItem) removeFinalizer(onePasswordItem *onepasswordv1.OnePasswordItem) error {
+	onePasswordItem.ObjectMeta.Finalizers = utils.RemoveString(onePasswordItem.ObjectMeta.Finalizers, finalizer)
+	if err := r.kubeClient.Update(context.Background(), onePasswordItem); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (r *ReconcileOnePasswordItem) cleanupKubernetesSecret(onePasswordItem *onepasswordv1.OnePasswordItem) error {
+	kubernetesSecret := &corev1.Secret{}
+	kubernetesSecret.ObjectMeta.Name = onePasswordItem.Name
+	kubernetesSecret.ObjectMeta.Namespace = onePasswordItem.Namespace
+
+	r.kubeClient.Delete(context.Background(), kubernetesSecret)
+	if err := r.kubeClient.Delete(context.Background(), kubernetesSecret); err != nil {
+		if !errors.IsNotFound(err) {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *ReconcileOnePasswordItem) removeOnePasswordFinalizerFromOnePasswordItem(opSecret *onepasswordv1.OnePasswordItem) error {
+	opSecret.ObjectMeta.Finalizers = utils.RemoveString(opSecret.ObjectMeta.Finalizers, finalizer)
+	return r.kubeClient.Update(context.Background(), opSecret)
+}
+
+func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1.OnePasswordItem, request reconcile.Request) error {
+	secretName := resource.GetName()
+	labels := resource.Labels
+	annotations := resource.Annotations
+	autoRestart := annotations[op.RestartDeploymentsAnnotation]
+
+	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
+	if err != nil {
+		return fmt.Errorf("Failed to retrieve item: %v", err)
+	}
+
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart, labels, annotations)
+}
--- a/operator/pkg/controller/onepassworditem/onepassworditem_test.go
+++ b/operator/pkg/controller/onepassworditem/onepassworditem_test.go
@@ -0,0 +1,439 @@
+package onepassworditem
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	errors2 "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubectl/pkg/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+const (
+	onePasswordItemKind       = "OnePasswordItem"
+	onePasswordItemAPIVersion = "onepassword.com/v1"
+	name                      = "test"
+	namespace                 = "default"
+	vaultId                   = "hfnjvi6aymbsnfc2xeeoheizda"
+	itemId                    = "nwrhuano7bcwddcviubpp4mhfq"
+	username                  = "test-user"
+	password                  = "QmHumKc$mUeEem7caHtbaBaJ"
+	firstHost                 = "http://localhost:8080"
+	awsKey                    = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+	iceCream                  = "freezing blue 20%"
+	userKey                   = "username"
+	passKey                   = "password"
+	version                   = 123
+)
+
+type testReconcileItem struct {
+	testName                string
+	customResource          *onepasswordv1.OnePasswordItem
+	existingSecret          *corev1.Secret
+	expectedError           error
+	expectedResultSecret    *corev1.Secret
+	expectedEvents          []string
+	opItem                  map[string]string
+	existingOnePasswordItem *onepasswordv1.OnePasswordItem
+}
+
+var (
+	expectedSecretData = map[string][]byte{
+		"password": []byte(password),
+		"username": []byte(username),
+	}
+	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+)
+
+var (
+	time = metav1.Now()
+)
+
+var tests = []testReconcileItem{
+	{
+		testName: "Test Delete OnePasswordItem",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              name,
+				Namespace:         namespace,
+				DeletionTimestamp: &time,
+				Finalizers: []string{
+					finalizer,
+				},
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError:        nil,
+		expectedResultSecret: nil,
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Test Do not update if OnePassword Version has not changed",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: "data we don't expect to have updated",
+			passKey: "data we don't expect to have updated",
+		},
+	},
+	{
+		testName: "Test Updating Existing Kubernetes Secret using OnePasswordItem",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+				Labels: map[string]string{},
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  "456",
+					op.ItemPathAnnotation: itemPath,
+				},
+				Labels: map[string]string{},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+				Labels: map[string]string{},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Custom secret type",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Secret from 1Password item with invalid K8s labels",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!my sECReT it3m%",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret-it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Secret from 1Password item with fields and sections that have invalid K8s labels",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!my sECReT it3m%",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret-it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: map[string][]byte{
+				"password":       []byte(password),
+				"username":       []byte(username),
+				"first-host":     []byte(firstHost),
+				"AWS-Access-Key": []byte(awsKey),
+				"ice-cream-type": []byte(iceCream),
+			},
+		},
+		opItem: map[string]string{
+			userKey:            username,
+			passKey:            password,
+			"first host":       firstHost,
+			"AWS Access Key":   awsKey,
+			"😄 ice-cream type": iceCream,
+		},
+	},
+	{
+		testName: "Secret from 1Password item with `-`, `_` and `.`",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!.my_sECReT.it3m%-_",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret.it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: map[string][]byte{
+				"password":          []byte(password),
+				"username":          []byte(username),
+				"first-host":        []byte(firstHost),
+				"AWS-Access-Key":    []byte(awsKey),
+				"-_ice_cream.type.": []byte(iceCream),
+			},
+		},
+		opItem: map[string]string{
+			userKey:               username,
+			passKey:               password,
+			"first host":          firstHost,
+			"AWS Access Key":      awsKey,
+			"😄 -_ice_cream.type.": iceCream,
+		},
+	},
+}
+
+func TestReconcileOnePasswordItem(t *testing.T) {
+	for _, testData := range tests {
+		t.Run(testData.testName, func(t *testing.T) {
+
+			// Register operator types with the runtime scheme.
+			s := scheme.Scheme
+			s.AddKnownTypes(onepasswordv1.SchemeGroupVersion, testData.customResource)
+
+			// Objects to track in the fake client.
+			objs := []runtime.Object{
+				testData.customResource,
+			}
+
+			if testData.existingSecret != nil {
+				objs = append(objs, testData.existingSecret)
+			}
+
+			if testData.existingOnePasswordItem != nil {
+				objs = append(objs, testData.existingOnePasswordItem)
+			}
+			// Create a fake client to mock API calls.
+			cl := fake.NewFakeClientWithScheme(s, objs...)
+			// Create a OnePasswordItem object with the scheme and mock  kubernetes
+			// and 1Password Connect client.
+
+			opConnectClient := &mocks.TestClient{}
+			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
+
+				item := onepassword.Item{}
+				item.Fields = []*onepassword.ItemField{}
+				for k, v := range testData.opItem {
+					item.Fields = append(item.Fields, &onepassword.ItemField{Label: k, Value: v})
+				}
+				item.Version = version
+				item.Vault.ID = vaultUUID
+				item.ID = uuid
+				return &item, nil
+			}
+			r := &ReconcileOnePasswordItem{
+				kubeClient:      cl,
+				scheme:          s,
+				opConnectClient: opConnectClient,
+			}
+
+			// Mock request to simulate Reconcile() being called on an event for a
+			// watched resource .
+			req := reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Name:      testData.customResource.ObjectMeta.Name,
+					Namespace: testData.customResource.ObjectMeta.Namespace,
+				},
+			}
+			_, err := r.Reconcile(req)
+
+			assert.Equal(t, testData.expectedError, err)
+
+			var expectedSecretName string
+			if testData.expectedResultSecret == nil {
+				expectedSecretName = testData.customResource.Name
+			} else {
+				expectedSecretName = testData.expectedResultSecret.Name
+			}
+
+			// Check if Secret has been created and has the correct data
+			secret := &corev1.Secret{}
+			err = cl.Get(context.TODO(), types.NamespacedName{Name: expectedSecretName, Namespace: namespace}, secret)
+
+			if testData.expectedResultSecret == nil {
+				assert.Error(t, err)
+				assert.True(t, errors2.IsNotFound(err))
+			} else {
+				assert.Equal(t, testData.expectedResultSecret.Data, secret.Data)
+				assert.Equal(t, testData.expectedResultSecret.Name, secret.Name)
+				assert.Equal(t, testData.expectedResultSecret.Type, secret.Type)
+				assert.Equal(t, testData.expectedResultSecret.Annotations[op.VersionAnnotation], secret.Annotations[op.VersionAnnotation])
+
+				updatedCR := &onepasswordv1.OnePasswordItem{}
+				err = cl.Get(context.TODO(), req.NamespacedName, updatedCR)
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func generateFields(username, password string) []*onepassword.ItemField {
+	fields := []*onepassword.ItemField{
+		{
+			Label: "username",
+			Value: username,
+		},
+		{
+			Label: "password",
+			Value: password,
+		},
+	}
+	return fields
+}
--- a/operator/pkg/kubernetessecrets/kubernetes_secrets_builder.go
+++ b/operator/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -0,0 +1,147 @@
+package kubernetessecrets
+
+import (
+	"context"
+	"fmt"
+
+	"regexp"
+	"strings"
+
+	"reflect"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+
+	kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+const OnepasswordPrefix = "operator.1password.io"
+const NameAnnotation = OnepasswordPrefix + "/item-name"
+const VersionAnnotation = OnepasswordPrefix + "/item-version"
+const restartAnnotation = OnepasswordPrefix + "/last-restarted"
+const ItemPathAnnotation = OnepasswordPrefix + "/item-path"
+const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"
+
+var log = logf.Log
+
+func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string, labels map[string]string, secretAnnotations map[string]string) error {
+
+	itemVersion := fmt.Sprint(item.Version)
+
+	// If secretAnnotations is nil we create an empty map so we can later assign values for the OP Annotations in the map
+	if secretAnnotations == nil {
+		secretAnnotations = map[string]string{}
+	}
+
+	secretAnnotations[VersionAnnotation] = itemVersion
+	secretAnnotations[ItemPathAnnotation] = fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID)
+
+	if autoRestart != "" {
+		_, err := utils.StringToBool(autoRestart)
+		if err != nil {
+			log.Error(err, "Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secretName)
+			return err
+		}
+		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
+	}
+	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, *item)
+
+	currentSecret := &corev1.Secret{}
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
+	if err != nil && errors.IsNotFound(err) {
+		log.Info(fmt.Sprintf("Creating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
+		return kubeClient.Create(context.Background(), secret)
+	} else if err != nil {
+		return err
+	}
+
+	if !reflect.DeepEqual(currentSecret.Annotations, secretAnnotations) || !reflect.DeepEqual(currentSecret.Labels, labels) {
+		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
+		currentSecret.ObjectMeta.Annotations = secretAnnotations
+		currentSecret.ObjectMeta.Labels = labels
+		currentSecret.Data = secret.Data
+		return kubeClient.Update(context.Background(), currentSecret)
+	}
+
+	log.Info(fmt.Sprintf("Secret with name %v and version %v already exists", secret.Name, secret.Annotations[VersionAnnotation]))
+	return nil
+}
+
+func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, item onepassword.Item) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        formatSecretName(name),
+			Namespace:   namespace,
+			Annotations: annotations,
+			Labels:      labels,
+		},
+		Data: BuildKubernetesSecretData(item.Fields),
+	}
+}
+
+func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byte {
+	secretData := map[string][]byte{}
+	for i := 0; i < len(fields); i++ {
+		if fields[i].Value != "" {
+			key := formatSecretDataName(fields[i].Label)
+			secretData[key] = []byte(fields[i].Value)
+		}
+	}
+	return secretData
+}
+
+// formatSecretName rewrites a value to be a valid Secret name.
+//
+// The Secret meta.name and data keys must be valid DNS subdomain names
+// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+func formatSecretName(value string) string {
+	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
+		return value
+	}
+	return createValidSecretName(value)
+}
+
+// formatSecretDataName rewrites a value to be a valid Secret data key.
+//
+// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
+// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+func formatSecretDataName(value string) string {
+	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
+		return value
+	}
+	return createValidSecretDataName(value)
+}
+
+var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
+
+func createValidSecretName(value string) string {
+	result := strings.ToLower(value)
+	result = invalidDNS1123Chars.ReplaceAllString(result, "-")
+
+	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
+		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
+	}
+
+	// first and last character MUST be alphanumeric
+	return strings.Trim(result, "-.")
+}
+
+var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
+var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
+
+func createValidSecretDataName(value string) string {
+	result := invalidStartEndChars.ReplaceAllString(value, "")
+	result = invalidDataChars.ReplaceAllString(result, "-")
+
+	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
+		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
+	}
+
+	return result
+}
--- a/operator/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
+++ b/operator/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -0,0 +1,224 @@
+package kubernetessecrets
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+const restartDeploymentAnnotation = "false"
+
+type k8s struct {
+	clientset kubernetes.Interface
+}
+
+func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
+	secretName := "test-secret-name"
+	namespace := "test"
+
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	item.Version = 123
+	item.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
+
+	kubeClient := fake.NewFakeClient()
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	createdSecret := &corev1.Secret{}
+	err = kubeClient.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret)
+
+	if err != nil {
+		t.Errorf("Secret was not created: %v", err)
+	}
+	compareFields(item.Fields, createdSecret.Data, t)
+	compareAnnotationsToItem(createdSecret.Annotations, item, t)
+
+	if createdSecret.Annotations["testAnnotation"] != "exists" {
+		t.Errorf("Expected testAnnotation to be merged with existing annotations, but wasn't.")
+	}
+}
+
+func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
+	secretName := "test-secret-update"
+	namespace := "test"
+
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	item.Version = 123
+	item.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
+
+	kubeClient := fake.NewFakeClient()
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{}
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+
+	// Updating kubernetes secret with new item
+	newItem := onepassword.Item{}
+	newItem.Fields = generateFields(6)
+	newItem.Version = 456
+	newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
+	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	updatedSecret := &corev1.Secret{}
+	err = kubeClient.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: namespace}, updatedSecret)
+
+	if err != nil {
+		t.Errorf("Secret was not found: %v", err)
+	}
+	compareFields(newItem.Fields, updatedSecret.Data, t)
+	compareAnnotationsToItem(updatedSecret.Annotations, newItem, t)
+}
+func TestBuildKubernetesSecretData(t *testing.T) {
+	fields := generateFields(5)
+
+	secretData := BuildKubernetesSecretData(fields)
+	if len(secretData) != len(fields) {
+		t.Errorf("Unexpected number of secret fields returned. Expected 3, got %v", len(secretData))
+	}
+	compareFields(fields, secretData, t)
+}
+
+func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
+	annotationKey := "annotationKey"
+	annotationValue := "annotationValue"
+	name := "someName"
+	namespace := "someNamespace"
+	annotations := map[string]string{
+		annotationKey: annotationValue,
+	}
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	labels := map[string]string{}
+
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, item)
+	if kubeSecret.Name != strings.ToLower(name) {
+		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
+	}
+	if kubeSecret.Namespace != namespace {
+		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
+	}
+	if kubeSecret.Annotations[annotationKey] != annotations[annotationKey] {
+		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
+	}
+	compareFields(item.Fields, kubeSecret.Data, t)
+}
+
+func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
+	name := "inV@l1d k8s secret%name"
+	expectedName := "inv-l1d-k8s-secret-name"
+	namespace := "someNamespace"
+	annotations := map[string]string{
+		"annotationKey": "annotationValue",
+	}
+	labels := map[string]string{}
+	item := onepassword.Item{}
+
+	item.Fields = []*onepassword.ItemField{
+		{
+			Label: "label w%th invalid ch!rs-",
+			Value: "value1",
+		},
+		{
+			Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1),
+			Value: "name exceeds max length",
+		},
+	}
+
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels,  item)
+
+	// Assert Secret's meta.name was fixed
+	if kubeSecret.Name != expectedName {
+		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
+	}
+	if kubeSecret.Namespace != namespace {
+		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
+	}
+
+	// assert labels were fixed for each data key
+	for key := range kubeSecret.Data {
+		if !validLabel(key) {
+			t.Errorf("Expected valid kubernetes label, got %s", key)
+		}
+	}
+}
+
+func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
+	actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
+	if err != nil {
+		t.Errorf("Was unable to parse Item Path")
+	}
+	if actualVaultId != item.Vault.ID {
+		t.Errorf("Expected annotation vault id to be %v but was %v", item.Vault.ID, actualVaultId)
+	}
+	if actualItemId != item.ID {
+		t.Errorf("Expected annotation item id to be %v but was %v", item.ID, actualItemId)
+	}
+	if annotations[VersionAnnotation] != fmt.Sprint(item.Version) {
+		t.Errorf("Expected annotation version to be %v but was %v", item.Version, annotations[VersionAnnotation])
+	}
+
+	if annotations[RestartDeploymentsAnnotation] != "false" {
+		t.Errorf("Expected restart deployments annotation to be %v but was %v", restartDeploymentAnnotation, RestartDeploymentsAnnotation)
+	}
+}
+
+func compareFields(actualFields []*onepassword.ItemField, secretData map[string][]byte, t *testing.T) {
+	for i := 0; i < len(actualFields); i++ {
+		value, found := secretData[actualFields[i].Label]
+		if !found {
+			t.Errorf("Expected key %v is missing from secret data", actualFields[i].Label)
+		}
+		if string(value) != actualFields[i].Value {
+			t.Errorf("Expected value %v but got %v", actualFields[i].Value, value)
+		}
+	}
+}
+
+func generateFields(numToGenerate int) []*onepassword.ItemField {
+	fields := []*onepassword.ItemField{}
+	for i := 0; i < numToGenerate; i++ {
+		field := onepassword.ItemField{
+			Label: "key" + fmt.Sprint(i),
+			Value: "value" + fmt.Sprint(i),
+		}
+		fields = append(fields, &field)
+	}
+	return fields
+}
+
+func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
+	splitPath := strings.Split(path, "/")
+	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
+		return splitPath[1], splitPath[3], nil
+	}
+	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
+}
+
+func validLabel(v string) bool {
+	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
+		return false
+	}
+	return true
+}
--- a/operator/pkg/mocks/mocksecretserver.go
+++ b/operator/pkg/mocks/mocksecretserver.go
@@ -0,0 +1,66 @@
+package mocks
+
+import (
+	"github.com/1Password/connect-sdk-go/onepassword"
+)
+
+type TestClient struct {
+	GetVaultsFunc        func() ([]onepassword.Vault, error)
+	GetVaultsByTitleFunc func(title string) ([]onepassword.Vault, error)
+	GetItemFunc          func(uuid string, vaultUUID string) (*onepassword.Item, error)
+	GetItemsFunc         func(vaultUUID string) ([]onepassword.Item, error)
+	GetItemsByTitleFunc  func(title string, vaultUUID string) ([]onepassword.Item, error)
+	GetItemByTitleFunc   func(title string, vaultUUID string) (*onepassword.Item, error)
+	CreateItemFunc       func(item *onepassword.Item, vaultUUID string) (*onepassword.Item, error)
+	UpdateItemFunc       func(item *onepassword.Item, vaultUUID string) (*onepassword.Item, error)
+	DeleteItemFunc       func(item *onepassword.Item, vaultUUID string) error
+}
+
+var (
+	GetGetVaultsFunc       func() ([]onepassword.Vault, error)
+	DoGetVaultsByTitleFunc func(title string) ([]onepassword.Vault, error)
+	GetGetItemFunc         func(uuid string, vaultUUID string) (*onepassword.Item, error)
+	DoGetItemsByTitleFunc  func(title string, vaultUUID string) ([]onepassword.Item, error)
+	DoGetItemByTitleFunc   func(title string, vaultUUID string) (*onepassword.Item, error)
+	DoCreateItemFunc       func(item *onepassword.Item, vaultUUID string) (*onepassword.Item, error)
+	DoDeleteItemFunc       func(item *onepassword.Item, vaultUUID string) error
+	DoGetItemsFunc         func(vaultUUID string) ([]onepassword.Item, error)
+	DoUpdateItemFunc       func(item *onepassword.Item, vaultUUID string) (*onepassword.Item, error)
+)
+
+// Do is the mock client's `Do` func
+func (m *TestClient) GetVaults() ([]onepassword.Vault, error) {
+	return GetGetVaultsFunc()
+}
+
+func (m *TestClient) GetVaultsByTitle(title string) ([]onepassword.Vault, error) {
+	return DoGetVaultsByTitleFunc(title)
+}
+
+func (m *TestClient) GetItem(uuid string, vaultUUID string) (*onepassword.Item, error) {
+	return GetGetItemFunc(uuid, vaultUUID)
+}
+
+func (m *TestClient) GetItems(vaultUUID string) ([]onepassword.Item, error) {
+	return DoGetItemsFunc(vaultUUID)
+}
+
+func (m *TestClient) GetItemsByTitle(title, vaultUUID string) ([]onepassword.Item, error) {
+	return DoGetItemsByTitleFunc(title, vaultUUID)
+}
+
+func (m *TestClient) GetItemByTitle(title string, vaultUUID string) (*onepassword.Item, error) {
+	return DoGetItemByTitleFunc(title, vaultUUID)
+}
+
+func (m *TestClient) CreateItem(item *onepassword.Item, vaultUUID string) (*onepassword.Item, error) {
+	return DoCreateItemFunc(item, vaultUUID)
+}
+
+func (m *TestClient) DeleteItem(item *onepassword.Item, vaultUUID string) error {
+	return DoDeleteItemFunc(item, vaultUUID)
+}
+
+func (m *TestClient) UpdateItem(item *onepassword.Item, vaultUUID string) (*onepassword.Item, error) {
+	return DoUpdateItemFunc(item, vaultUUID)
+}
--- a/operator/pkg/onepassword/annotations.go
+++ b/operator/pkg/onepassword/annotations.go
@@ -0,0 +1,60 @@
+package onepassword
+
+import (
+	"regexp"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+const (
+	OnepasswordPrefix            = "operator.1password.io"
+	ItemPathAnnotation           = OnepasswordPrefix + "/item-path"
+	NameAnnotation               = OnepasswordPrefix + "/item-name"
+	VersionAnnotation            = OnepasswordPrefix + "/item-version"
+	RestartAnnotation            = OnepasswordPrefix + "/last-restarted"
+	RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"
+)
+
+func GetAnnotationsForDeployment(deployment *appsv1.Deployment, regex *regexp.Regexp) (map[string]string, bool) {
+	annotationsFound := false
+	annotations := FilterAnnotations(deployment.Annotations, regex)
+	if len(annotations) > 0 {
+		annotationsFound = true
+	} else {
+		annotations = FilterAnnotations(deployment.Spec.Template.Annotations, regex)
+		if len(annotations) > 0 {
+			annotationsFound = true
+		} else {
+			annotationsFound = false
+		}
+	}
+
+	return annotations, annotationsFound
+}
+
+func FilterAnnotations(annotations map[string]string, regex *regexp.Regexp) map[string]string {
+	filteredAnnotations := make(map[string]string)
+	for key, value := range annotations {
+		if regex.MatchString(key) && key != RestartAnnotation && key != RestartDeploymentsAnnotation {
+			filteredAnnotations[key] = value
+		}
+	}
+	return filteredAnnotations
+}
+
+func AreAnnotationsUsingSecrets(annotations map[string]string, secrets map[string]*corev1.Secret) bool {
+	_, ok := secrets[annotations[NameAnnotation]]
+	if ok {
+		return true
+	}
+	return false
+}
+
+func AppendAnnotationUpdatedSecret(annotations map[string]string, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
+	secret, ok := secrets[annotations[NameAnnotation]]
+	if ok {
+		updatedDeploymentSecrets[secret.Name] = secret
+	}
+	return updatedDeploymentSecrets
+}
--- a/operator/pkg/onepassword/annotations_test.go
+++ b/operator/pkg/onepassword/annotations_test.go
@@ -0,0 +1,93 @@
+package onepassword
+
+import (
+	"regexp"
+	"testing"
+
+	appsv1 "k8s.io/api/apps/v1"
+)
+
+const AnnotationRegExpString = "^operator.1password.io\\/[a-zA-Z\\.]+"
+
+func TestFilterAnnotations(t *testing.T) {
+	invalidAnnotation1 := "onepasswordconnect/vaultId"
+	invalidAnnotation2 := "onepasswordconnectkubernetesSecrets"
+
+	annotations := getValidAnnotations()
+	annotations[invalidAnnotation1] = "This should be filtered"
+	annotations[invalidAnnotation2] = "This should be filtered too"
+
+	r, _ := regexp.Compile(AnnotationRegExpString)
+	filteredAnnotations := FilterAnnotations(annotations, r)
+	if len(filteredAnnotations) != 2 {
+		t.Errorf("Unexpected number of filtered annotations returned. Expected 2, got %v", len(filteredAnnotations))
+	}
+	_, found := filteredAnnotations[ItemPathAnnotation]
+	if !found {
+		t.Errorf("One Password Annotation was filtered when it should not have been")
+	}
+	_, found = filteredAnnotations[NameAnnotation]
+	if !found {
+		t.Errorf("One Password Annotation was filtered when it should not have been")
+	}
+}
+
+func TestGetTopLevelAnnotationsForDeployment(t *testing.T) {
+	annotations := getValidAnnotations()
+	expectedNumAnnotations := len(annotations)
+	r, _ := regexp.Compile(AnnotationRegExpString)
+
+	deployment := &appsv1.Deployment{}
+	deployment.Annotations = annotations
+	filteredAnnotations, annotationsFound := GetAnnotationsForDeployment(deployment, r)
+
+	if !annotationsFound {
+		t.Errorf("No annotations marked as found")
+	}
+
+	numAnnotations := len(filteredAnnotations)
+	if expectedNumAnnotations != numAnnotations {
+		t.Errorf("Expected %v annotations got %v", expectedNumAnnotations, numAnnotations)
+	}
+}
+
+func TestGetTemplateAnnotationsForDeployment(t *testing.T) {
+	annotations := getValidAnnotations()
+	expectedNumAnnotations := len(annotations)
+	r, _ := regexp.Compile(AnnotationRegExpString)
+
+	deployment := &appsv1.Deployment{}
+	deployment.Spec.Template.Annotations = annotations
+	filteredAnnotations, annotationsFound := GetAnnotationsForDeployment(deployment, r)
+
+	if !annotationsFound {
+		t.Errorf("No annotations marked as found")
+	}
+
+	numAnnotations := len(filteredAnnotations)
+	if expectedNumAnnotations != numAnnotations {
+		t.Errorf("Expected %v annotations got %v", expectedNumAnnotations, numAnnotations)
+	}
+}
+
+func TestGetNoAnnotationsForDeployment(t *testing.T) {
+	deployment := &appsv1.Deployment{}
+	r, _ := regexp.Compile(AnnotationRegExpString)
+	filteredAnnotations, annotationsFound := GetAnnotationsForDeployment(deployment, r)
+
+	if annotationsFound {
+		t.Errorf("No annotations should be found")
+	}
+
+	numAnnotations := len(filteredAnnotations)
+	if 0 != numAnnotations {
+		t.Errorf("Expected %v annotations got %v", 0, numAnnotations)
+	}
+}
+
+func getValidAnnotations() map[string]string {
+	return map[string]string{
+		ItemPathAnnotation: "vaults/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f/items/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f",
+		NameAnnotation:     "secretName",
+	}
+}
--- a/operator/pkg/onepassword/connect_setup.go
+++ b/operator/pkg/onepassword/connect_setup.go
@@ -0,0 +1,117 @@
+package onepassword
+
+import (
+	"context"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"os"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	errors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+var logConnectSetup = logf.Log.WithName("ConnectSetup")
+var deploymentPath = "deploy/connect/deployment.yaml"
+var servicePath = "deploy/connect/service.yaml"
+
+func SetupConnect(kubeClient client.Client, deploymentNamespace string) error {
+	err := setupService(kubeClient, servicePath, deploymentNamespace)
+	if err != nil {
+		return err
+	}
+
+	err = setupDeployment(kubeClient, deploymentPath, deploymentNamespace)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func setupDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
+	existingDeployment := &appsv1.Deployment{}
+
+	// check if deployment has already been created
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingDeployment)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			logConnectSetup.Info("No existing Connect deployment found. Creating Deployment")
+			return createDeployment(kubeClient, deploymentPath, deploymentNamespace)
+		}
+	}
+	return err
+}
+
+func createDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
+	deployment, err := getDeploymentToCreate(deploymentPath, deploymentNamespace)
+	if err != nil {
+		return err
+	}
+
+	err = kubeClient.Create(context.Background(), deployment)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func getDeploymentToCreate(deploymentPath string, deploymentNamespace string) (*appsv1.Deployment, error) {
+	f, err := os.Open(deploymentPath)
+	if err != nil {
+		return nil, err
+	}
+	deployment := &appsv1.Deployment{
+		ObjectMeta: v1.ObjectMeta{
+			Namespace: deploymentNamespace,
+		},
+	}
+
+	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(deployment)
+	if err != nil {
+		return nil, err
+	}
+	return deployment, nil
+}
+
+func setupService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
+	existingService := &corev1.Service{}
+
+	//check if service has already been created
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingService)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			logConnectSetup.Info("No existing Connect service found. Creating Service")
+			return createService(kubeClient, servicePath, deploymentNamespace)
+		}
+	}
+	return err
+}
+
+func createService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
+	f, err := os.Open(servicePath)
+	if err != nil {
+		return err
+	}
+	service := &corev1.Service{
+		ObjectMeta: v1.ObjectMeta{
+			Namespace: deploymentNamespace,
+		},
+	}
+
+	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(service)
+	if err != nil {
+		return err
+	}
+
+	err = kubeClient.Create(context.Background(), service)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/operator/pkg/onepassword/connect_setup_test.go
+++ b/operator/pkg/onepassword/connect_setup_test.go
@@ -0,0 +1,65 @@
+package onepassword
+
+import (
+	"context"
+	"testing"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubectl/pkg/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+var defaultNamespacedName = types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}
+
+func TestServiceSetup(t *testing.T) {
+
+	// Register operator types with the runtime scheme.
+	s := scheme.Scheme
+
+	// Objects to track in the fake client.
+	objs := []runtime.Object{}
+
+	// Create a fake client to mock API calls.
+	client := fake.NewFakeClientWithScheme(s, objs...)
+
+	err := setupService(client, "../../deploy/connect/service.yaml", defaultNamespacedName.Namespace)
+
+	if err != nil {
+		t.Errorf("Error Setting Up Connect: %v", err)
+	}
+
+	// check that service was created
+	service := &corev1.Service{}
+	err = client.Get(context.TODO(), defaultNamespacedName, service)
+	if err != nil {
+		t.Errorf("Error Setting Up Connect service: %v", err)
+	}
+}
+
+func TestDeploymentSetup(t *testing.T) {
+
+	// Register operator types with the runtime scheme.
+	s := scheme.Scheme
+
+	// Objects to track in the fake client.
+	objs := []runtime.Object{}
+
+	// Create a fake client to mock API calls.
+	client := fake.NewFakeClientWithScheme(s, objs...)
+
+	err := setupDeployment(client, "../../deploy/connect/deployment.yaml", defaultNamespacedName.Namespace)
+
+	if err != nil {
+		t.Errorf("Error Setting Up Connect: %v", err)
+	}
+
+	// check that deployment was created
+	deployment := &appsv1.Deployment{}
+	err = client.Get(context.TODO(), defaultNamespacedName, deployment)
+	if err != nil {
+		t.Errorf("Error Setting Up Connect deployment: %v", err)
+	}
+}
--- a/operator/pkg/onepassword/containers.go
+++ b/operator/pkg/onepassword/containers.go
@@ -0,0 +1,33 @@
+package onepassword
+
+import corev1 "k8s.io/api/core/v1"
+
+func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool {
+	for i := 0; i < len(containers); i++ {
+		envVariables := containers[i].Env
+		for j := 0; j < len(envVariables); j++ {
+			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
+				_, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
+				if ok {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
+	for i := 0; i < len(containers); i++ {
+		envVariables := containers[i].Env
+		for j := 0; j < len(envVariables); j++ {
+			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
+				secret, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
+				if ok {
+					updatedDeploymentSecrets[secret.Name] = secret
+				}
+			}
+		}
+	}
+	return updatedDeploymentSecrets
+}
--- a/operator/pkg/onepassword/containers_test.go
+++ b/operator/pkg/onepassword/containers_test.go
@@ -0,0 +1,43 @@
+package onepassword
+
+import (
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestAreContainersUsingSecrets(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-api-key":         &corev1.Secret{},
+	}
+
+	containerSecretNames := []string{
+		"onepassword-database-secret",
+		"onepassword-api-key",
+		"some_other_key",
+	}
+
+	containers := generateContainers(containerSecretNames)
+
+	if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
+		t.Errorf("Expected that containers were using secrets but they were not detected.")
+	}
+}
+
+func TestAreContainersNotUsingSecrets(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-api-key":         &corev1.Secret{},
+	}
+
+	containerSecretNames := []string{
+		"some_other_key",
+	}
+
+	containers := generateContainers(containerSecretNames)
+
+	if AreContainersUsingSecrets(containers, secretNamesToSearch) {
+		t.Errorf("Expected that containers were not using secrets but they were detected.")
+	}
+}
--- a/operator/pkg/onepassword/deployments.go
+++ b/operator/pkg/onepassword/deployments.go
@@ -0,0 +1,26 @@
+package onepassword
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func IsDeploymentUsingSecrets(deployment *appsv1.Deployment, secrets map[string]*corev1.Secret) bool {
+	volumes := deployment.Spec.Template.Spec.Volumes
+	containers := deployment.Spec.Template.Spec.Containers
+	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...)
+	return AreAnnotationsUsingSecrets(deployment.Annotations, secrets) || AreContainersUsingSecrets(containers, secrets) || AreVolumesUsingSecrets(volumes, secrets)
+}
+
+func GetUpdatedSecretsForDeployment(deployment *appsv1.Deployment, secrets map[string]*corev1.Secret) map[string]*corev1.Secret {
+	volumes := deployment.Spec.Template.Spec.Volumes
+	containers := deployment.Spec.Template.Spec.Containers
+	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...)
+
+	updatedSecretsForDeployment := map[string]*corev1.Secret{}
+	AppendAnnotationUpdatedSecret(deployment.Annotations, secrets, updatedSecretsForDeployment)
+	AppendUpdatedContainerSecrets(containers, secrets, updatedSecretsForDeployment)
+	AppendUpdatedVolumeSecrets(volumes, secrets, updatedSecretsForDeployment)
+
+	return updatedSecretsForDeployment
+}
--- a/operator/pkg/onepassword/deployments_test.go
+++ b/operator/pkg/onepassword/deployments_test.go
@@ -0,0 +1,58 @@
+package onepassword
+
+import (
+	"testing"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestIsDeploymentUsingSecretsUsingVolumes(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-api-key":         &corev1.Secret{},
+	}
+
+	volumeSecretNames := []string{
+		"onepassword-database-secret",
+		"onepassword-api-key",
+		"some_other_key",
+	}
+
+	deployment := &appsv1.Deployment{}
+	deployment.Spec.Template.Spec.Volumes = generateVolumes(volumeSecretNames)
+	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
+		t.Errorf("Expected that deployment was using secrets but they were not detected.")
+	}
+}
+
+func TestIsDeploymentUsingSecretsUsingContainers(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-api-key":         &corev1.Secret{},
+	}
+
+	containerSecretNames := []string{
+		"onepassword-database-secret",
+		"onepassword-api-key",
+		"some_other_key",
+	}
+
+	deployment := &appsv1.Deployment{}
+	deployment.Spec.Template.Spec.Containers = generateContainers(containerSecretNames)
+	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
+		t.Errorf("Expected that deployment was using secrets but they were not detected.")
+	}
+}
+
+func TestIsDeploymentNotUSingSecrets(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-api-key":         &corev1.Secret{},
+	}
+
+	deployment := &appsv1.Deployment{}
+	if IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
+		t.Errorf("Expected that deployment was using not secrets but they were detected.")
+	}
+}
--- a/operator/pkg/onepassword/items.go
+++ b/operator/pkg/onepassword/items.go
@@ -0,0 +1,92 @@
+package onepassword
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/1Password/connect-sdk-go/connect"
+	"github.com/1Password/connect-sdk-go/onepassword"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+var logger = logf.Log.WithName("retrieve_item")
+
+func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*onepassword.Item, error) {
+	vaultValue, itemValue, err := ParseVaultAndItemFromPath(path)
+	if err != nil {
+		return nil, err
+	}
+	vaultId, err := getVaultId(opConnectClient, vaultValue)
+	if err != nil {
+		return nil, err
+	}
+
+	itemId, err := getItemId(opConnectClient, itemValue, vaultId)
+	if err != nil {
+		return nil, err
+	}
+
+	item, err := opConnectClient.GetItem(itemId, vaultId)
+	if err != nil {
+		return nil, err
+	}
+	return item, nil
+}
+
+func ParseVaultAndItemFromPath(path string) (string, string, error) {
+	splitPath := strings.Split(path, "/")
+	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
+		return splitPath[1], splitPath[3], nil
+	}
+	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
+}
+
+func getVaultId(client connect.Client, vaultIdentifier string) (string, error) {
+	if !IsValidClientUUID(vaultIdentifier) {
+		vaults, err := client.GetVaultsByTitle(vaultIdentifier)
+		if err != nil {
+			return "", err
+		}
+
+		if len(vaults) == 0 {
+			return "", fmt.Errorf("No vaults found with identifier %q", vaultIdentifier)
+		}
+
+		oldestVault := vaults[0]
+		if len(vaults) > 1 {
+			for _, returnedVault := range vaults {
+				if returnedVault.CreatedAt.Before(oldestVault.CreatedAt) {
+					oldestVault = returnedVault
+				}
+			}
+			logger.Info(fmt.Sprintf("%v 1Password vaults found with the title %q. Will use vault %q as it is the oldest.", len(vaults), vaultIdentifier, oldestVault.ID))
+		}
+		vaultIdentifier = oldestVault.ID
+	}
+	return vaultIdentifier, nil
+}
+
+func getItemId(client connect.Client, itemIdentifier string, vaultId string) (string, error) {
+	if !IsValidClientUUID(itemIdentifier) {
+		items, err := client.GetItemsByTitle(itemIdentifier, vaultId)
+		if err != nil {
+			return "", err
+		}
+
+		if len(items) == 0 {
+			return "", fmt.Errorf("No items found with identifier %q", itemIdentifier)
+		}
+
+		oldestItem := items[0]
+		if len(items) > 1 {
+			for _, returnedItem := range items {
+				if returnedItem.CreatedAt.Before(oldestItem.CreatedAt) {
+					oldestItem = returnedItem
+				}
+			}
+			logger.Info(fmt.Sprintf("%v 1Password items found with the title %q. Will use item %q as it is the oldest.", len(items), itemIdentifier, oldestItem.ID))
+		}
+		itemIdentifier = oldestItem.ID
+	}
+	return itemIdentifier, nil
+}
--- a/operator/pkg/onepassword/object_generators_for_test.go
+++ b/operator/pkg/onepassword/object_generators_for_test.go
@@ -0,0 +1,42 @@
+package onepassword
+
+import corev1 "k8s.io/api/core/v1"
+
+func generateVolumes(names []string) []corev1.Volume {
+	volumes := []corev1.Volume{}
+	for i := 0; i < len(names); i++ {
+		volume := corev1.Volume{
+			Name: names[i],
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: names[i],
+				},
+			},
+		}
+		volumes = append(volumes, volume)
+	}
+	return volumes
+}
+
+func generateContainers(names []string) []corev1.Container {
+	containers := []corev1.Container{}
+	for i := 0; i < len(names); i++ {
+		container := corev1.Container{
+			Env: []corev1.EnvVar{
+				{
+					Name: "someName",
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: names[i],
+							},
+							Key: "password",
+						},
+					},
+				},
+			},
+		}
+		containers = append(containers, container)
+	}
+	return containers
+}
--- a/operator/pkg/onepassword/secret_update_handler.go
+++ b/operator/pkg/onepassword/secret_update_handler.go
@@ -0,0 +1,222 @@
+package onepassword
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+
+	"github.com/1Password/connect-sdk-go/connect"
+	"github.com/1Password/connect-sdk-go/onepassword"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+const envHostVariable = "OP_HOST"
+const lockTag = "operator.1password.io:ignore-secret"
+
+var log = logf.Log.WithName("update_op_kubernetes_secrets_task")
+
+func NewManager(kubernetesClient client.Client, opConnectClient connect.Client, shouldAutoRestartDeploymentsGlobal bool) *SecretUpdateHandler {
+	return &SecretUpdateHandler{
+		client:                             kubernetesClient,
+		opConnectClient:                    opConnectClient,
+		shouldAutoRestartDeploymentsGlobal: shouldAutoRestartDeploymentsGlobal,
+	}
+}
+
+type SecretUpdateHandler struct {
+	client                             client.Client
+	opConnectClient                    connect.Client
+	shouldAutoRestartDeploymentsGlobal bool
+}
+
+func (h *SecretUpdateHandler) UpdateKubernetesSecretsTask() error {
+	updatedKubernetesSecrets, err := h.updateKubernetesSecrets()
+	if err != nil {
+		return err
+	}
+
+	return h.restartDeploymentsWithUpdatedSecrets(updatedKubernetesSecrets)
+}
+
+func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(updatedSecretsByNamespace map[string]map[string]*corev1.Secret) error {
+	// No secrets to update. Exit
+	if len(updatedSecretsByNamespace) == 0 || updatedSecretsByNamespace == nil {
+		return nil
+	}
+
+	deployments := &appsv1.DeploymentList{}
+	err := h.client.List(context.Background(), deployments)
+	if err != nil {
+		log.Error(err, "Failed to list kubernetes deployments")
+		return err
+	}
+
+	if len(deployments.Items) == 0 {
+		return nil
+	}
+
+	setForAutoRestartByNamespaceMap, err := h.getIsSetForAutoRestartByNamespaceMap()
+	if err != nil {
+		return err
+	}
+
+	for i := 0; i < len(deployments.Items); i++ {
+		deployment := &deployments.Items[i]
+		updatedSecrets := updatedSecretsByNamespace[deployment.Namespace]
+
+		updatedDeploymentSecrets := GetUpdatedSecretsForDeployment(deployment, updatedSecrets)
+		if len(updatedDeploymentSecrets) == 0 {
+			continue
+		}
+		for _, secret := range updatedDeploymentSecrets {
+			if isSecretSetForAutoRestart(secret, deployment, setForAutoRestartByNamespaceMap) {
+				h.restartDeployment(deployment)
+				continue
+			}
+		}
+
+		log.Info(fmt.Sprintf("Deployment %q at namespace %q is up to date", deployment.GetName(), deployment.Namespace))
+
+	}
+	return nil
+}
+
+func (h *SecretUpdateHandler) restartDeployment(deployment *appsv1.Deployment) {
+	log.Info(fmt.Sprintf("Deployment %q at namespace %q references an updated secret. Restarting", deployment.GetName(), deployment.Namespace))
+	deployment.Spec.Template.Annotations = map[string]string{
+		RestartAnnotation: time.Now().String(),
+	}
+	err := h.client.Update(context.Background(), deployment)
+	if err != nil {
+		log.Error(err, "Problem restarting deployment")
+	}
+}
+
+func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*corev1.Secret, error) {
+	secrets := &corev1.SecretList{}
+	err := h.client.List(context.Background(), secrets)
+	if err != nil {
+		log.Error(err, "Failed to list kubernetes secrets")
+		return nil, err
+	}
+
+	updatedSecrets := map[string]map[string]*corev1.Secret{}
+	for i := 0; i < len(secrets.Items); i++ {
+		secret := secrets.Items[i]
+
+		itemPath := secret.Annotations[ItemPathAnnotation]
+		currentVersion := secret.Annotations[VersionAnnotation]
+		if len(itemPath) == 0 || len(currentVersion) == 0 {
+			continue
+		}
+
+		item, err := GetOnePasswordItemByPath(h.opConnectClient, secret.Annotations[ItemPathAnnotation])
+		if err != nil {
+			return nil, fmt.Errorf("Failed to retrieve item: %v", err)
+		}
+
+		itemVersion := fmt.Sprint(item.Version)
+		if currentVersion != itemVersion {
+			if isItemLockedForForcedRestarts(item) {
+				log.Info(fmt.Sprintf("Secret '%v' has been updated in 1Password but is set to be ignored. Updates to an ignored secret will not trigger an update to a kubernetes secret or a rolling restart.", secret.GetName()))
+				secret.Annotations[VersionAnnotation] = itemVersion
+				h.client.Update(context.Background(), &secret)
+				continue
+			}
+			log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
+			secret.Annotations[VersionAnnotation] = itemVersion
+			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, secret.Labels, *item)
+			h.client.Update(context.Background(), updatedSecret)
+			if updatedSecrets[secret.Namespace] == nil {
+				updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret)
+			}
+			updatedSecrets[secret.Namespace][secret.Name] = &secret
+		}
+	}
+	return updatedSecrets, nil
+}
+
+func isItemLockedForForcedRestarts(item *onepassword.Item) bool {
+	tags := item.Tags
+	for i := 0; i < len(tags); i++ {
+		if tags[i] == lockTag {
+			return true
+		}
+	}
+	return false
+}
+
+func isUpdatedSecret(secretName string, updatedSecrets map[string]*corev1.Secret) bool {
+	_, ok := updatedSecrets[secretName]
+	if ok {
+		return true
+	}
+	return false
+}
+
+func (h *SecretUpdateHandler) getIsSetForAutoRestartByNamespaceMap() (map[string]bool, error) {
+	namespaces := &corev1.NamespaceList{}
+	err := h.client.List(context.Background(), namespaces)
+	if err != nil {
+		log.Error(err, "Failed to list kubernetes namespaces")
+		return nil, err
+	}
+
+	namespacesMap := map[string]bool{}
+
+	for _, namespace := range namespaces.Items {
+		namespacesMap[namespace.Name] = h.isNamespaceSetToAutoRestart(&namespace)
+	}
+	return namespacesMap, nil
+}
+
+func isSecretSetForAutoRestart(secret *corev1.Secret, deployment *appsv1.Deployment, setForAutoRestartByNamespace map[string]bool) bool {
+	restartDeployment := secret.Annotations[RestartDeploymentsAnnotation]
+	//If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace
+	if restartDeployment == "" {
+		return isDeploymentSetForAutoRestart(deployment, setForAutoRestartByNamespace)
+	}
+
+	restartDeploymentBool, err := utils.StringToBool(restartDeployment)
+	if err != nil {
+		log.Error(err, "Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secret.Name)
+		return false
+	}
+	return restartDeploymentBool
+}
+
+func isDeploymentSetForAutoRestart(deployment *appsv1.Deployment, setForAutoRestartByNamespace map[string]bool) bool {
+	restartDeployment := deployment.Annotations[RestartDeploymentsAnnotation]
+	//If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace
+	if restartDeployment == "" {
+		return setForAutoRestartByNamespace[deployment.Namespace]
+	}
+
+	restartDeploymentBool, err := utils.StringToBool(restartDeployment)
+	if err != nil {
+		log.Error(err, "Error parsing %v annotation on Deployment %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, deployment.Name)
+		return false
+	}
+	return restartDeploymentBool
+}
+
+func (h *SecretUpdateHandler) isNamespaceSetToAutoRestart(namespace *corev1.Namespace) bool {
+	restartDeployment := namespace.Annotations[RestartDeploymentsAnnotation]
+	//If annotation for auto restarts for deployment is not set. Check environment variable set on the operator
+	if restartDeployment == "" {
+		return h.shouldAutoRestartDeploymentsGlobal
+	}
+
+	restartDeploymentBool, err := utils.StringToBool(restartDeployment)
+	if err != nil {
+		log.Error(err, "Error parsing %v annotation on Namespace %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, namespace.Name)
+		return false
+	}
+	return restartDeploymentBool
+}
--- a/operator/pkg/onepassword/secret_update_handler_test.go
+++ b/operator/pkg/onepassword/secret_update_handler_test.go
@@ -0,0 +1,860 @@
+package onepassword
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	errors2 "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubectl/pkg/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+const (
+	deploymentKind       = "Deployment"
+	deploymentAPIVersion = "v1"
+	name                 = "test-deployment"
+	namespace            = "default"
+	vaultId              = "hfnjvi6aymbsnfc2xeeoheizda"
+	itemId               = "nwrhuano7bcwddcviubpp4mhfq"
+	username             = "test-user"
+	password             = "QmHumKc$mUeEem7caHtbaBaJ"
+	userKey              = "username"
+	passKey              = "password"
+	itemVersion          = 123
+)
+
+type testUpdateSecretTask struct {
+	testName                 string
+	existingDeployment       *appsv1.Deployment
+	existingNamespace        *corev1.Namespace
+	existingSecret           *corev1.Secret
+	expectedError            error
+	expectedResultSecret     *corev1.Secret
+	expectedEvents           []string
+	opItem                   map[string]string
+	expectedRestart          bool
+	globalAutoRestartEnabled bool
+}
+
+var (
+	expectedSecretData = map[string][]byte{
+		"password": []byte(password),
+		"username": []byte(username),
+	}
+	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+)
+
+var defaultNamespace = &corev1.Namespace{
+	ObjectMeta: metav1.ObjectMeta{
+		Name: namespace,
+	},
+}
+
+var tests = []testUpdateSecretTask{
+	{
+		testName:          "Test unrelated deployment is not restarted with an updated secret",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					NameAnnotation:     "unlrelated secret",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  "old version",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          false,
+		globalAutoRestartEnabled: true,
+	},
+	{
+		testName:          "OP item has new version. Secret needs update. Deployment is restarted based on containers",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  "old version",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          true,
+		globalAutoRestartEnabled: true,
+	},
+	{
+		testName:          "OP item has new version. Secret needs update. Deployment is restarted based on annotation",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					ItemPathAnnotation: itemPath,
+					NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  "old version",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          true,
+		globalAutoRestartEnabled: true,
+	},
+	{
+		testName:          "OP item has new version. Secret needs update. Deployment is restarted based on volume",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Volumes: []corev1.Volume{
+							{
+								Name: name,
+								VolumeSource: corev1.VolumeSource{
+									Secret: &corev1.SecretVolumeSource{
+										SecretName: name,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  "old version",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          true,
+		globalAutoRestartEnabled: true,
+	},
+	{
+		testName:          "No secrets need update. No deployment is restarted",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					ItemPathAnnotation: itemPath,
+					NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          false,
+		globalAutoRestartEnabled: true,
+	},
+	{
+		testName: `Deployment is not restarted when no auto restart is set to true for all
+		deployments and is not overwritten by by a namespace or deployment annotation`,
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  "old version",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          false,
+		globalAutoRestartEnabled: false,
+	},
+	{
+		testName:          `Secret autostart true value takes precedence over false deployment value`,
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					RestartDeploymentsAnnotation: "false",
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:            "old version",
+					ItemPathAnnotation:           itemPath,
+					RestartDeploymentsAnnotation: "true",
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:            fmt.Sprint(itemVersion),
+					ItemPathAnnotation:           itemPath,
+					RestartDeploymentsAnnotation: "true",
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          true,
+		globalAutoRestartEnabled: false,
+	},
+	{
+		testName:          `Secret autostart true value takes precedence over false deployment value`,
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					RestartDeploymentsAnnotation: "true",
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:            "old version",
+					ItemPathAnnotation:           itemPath,
+					RestartDeploymentsAnnotation: "false",
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:            fmt.Sprint(itemVersion),
+					ItemPathAnnotation:           itemPath,
+					RestartDeploymentsAnnotation: "false",
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          false,
+		globalAutoRestartEnabled: true,
+	},
+	{
+		testName:          `Deployment autostart true value takes precedence over false global auto restart value`,
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					RestartDeploymentsAnnotation: "true",
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  "old version",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          true,
+		globalAutoRestartEnabled: false,
+	},
+	{
+		testName: `Deployment autostart false value takes precedence over false global auto restart value,
+		 and true namespace value.`,
+		existingNamespace: &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: namespace,
+				Annotations: map[string]string{
+					RestartDeploymentsAnnotation: "true",
+				},
+			},
+		},
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					RestartDeploymentsAnnotation: "false",
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  "old version",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          false,
+		globalAutoRestartEnabled: false,
+	},
+	{
+		testName: `Namespace autostart true value takes precedence over false global auto restart value`,
+		existingNamespace: &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: namespace,
+				Annotations: map[string]string{
+					RestartDeploymentsAnnotation: "true",
+				},
+			},
+		},
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  "old version",
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					VersionAnnotation:  fmt.Sprint(itemVersion),
+					ItemPathAnnotation: itemPath,
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          true,
+		globalAutoRestartEnabled: false,
+	},
+}
+
+func TestUpdateSecretHandler(t *testing.T) {
+	for _, testData := range tests {
+		t.Run(testData.testName, func(t *testing.T) {
+
+			// Register operator types with the runtime scheme.
+			s := scheme.Scheme
+			s.AddKnownTypes(appsv1.SchemeGroupVersion, testData.existingDeployment)
+
+			// Objects to track in the fake client.
+			objs := []runtime.Object{
+				testData.existingDeployment,
+				testData.existingNamespace,
+			}
+
+			if testData.existingSecret != nil {
+				objs = append(objs, testData.existingSecret)
+			}
+
+			// Create a fake client to mock API calls.
+			cl := fake.NewFakeClientWithScheme(s, objs...)
+
+			opConnectClient := &mocks.TestClient{}
+			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
+
+				item := onepassword.Item{}
+				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
+				item.Version = itemVersion
+				item.Vault.ID = vaultUUID
+				item.ID = uuid
+				return &item, nil
+			}
+			h := &SecretUpdateHandler{
+				client:                             cl,
+				opConnectClient:                    opConnectClient,
+				shouldAutoRestartDeploymentsGlobal: testData.globalAutoRestartEnabled,
+			}
+
+			err := h.UpdateKubernetesSecretsTask()
+
+			assert.Equal(t, testData.expectedError, err)
+
+			var expectedSecretName string
+			if testData.expectedResultSecret == nil {
+				expectedSecretName = testData.existingDeployment.Name
+			} else {
+				expectedSecretName = testData.expectedResultSecret.Name
+			}
+
+			// Check if Secret has been created and has the correct data
+			secret := &corev1.Secret{}
+			err = cl.Get(context.TODO(), types.NamespacedName{Name: expectedSecretName, Namespace: namespace}, secret)
+
+			if testData.expectedResultSecret == nil {
+				assert.Error(t, err)
+				assert.True(t, errors2.IsNotFound(err))
+			} else {
+				assert.Equal(t, testData.expectedResultSecret.Data, secret.Data)
+				assert.Equal(t, testData.expectedResultSecret.Name, secret.Name)
+				assert.Equal(t, testData.expectedResultSecret.Type, secret.Type)
+				assert.Equal(t, testData.expectedResultSecret.Annotations[VersionAnnotation], secret.Annotations[VersionAnnotation])
+			}
+
+			//check if deployment has been restarted
+			deployment := &appsv1.Deployment{}
+			err = cl.Get(context.TODO(), types.NamespacedName{Name: testData.existingDeployment.Name, Namespace: namespace}, deployment)
+
+			_, ok := deployment.Spec.Template.Annotations[RestartAnnotation]
+			if ok {
+				assert.True(t, testData.expectedRestart, "Expected deployment to restart but it did not")
+			} else {
+				assert.False(t, testData.expectedRestart, "Deployment was restarted but should not have been.")
+			}
+		})
+	}
+}
+
+func TestIsUpdatedSecret(t *testing.T) {
+
+	secretName := "test-secret"
+	updatedSecrets := map[string]*corev1.Secret{
+		"some_secret": &corev1.Secret{},
+	}
+	assert.False(t, isUpdatedSecret(secretName, updatedSecrets))
+
+	updatedSecrets[secretName] = &corev1.Secret{}
+	assert.True(t, isUpdatedSecret(secretName, updatedSecrets))
+}
+
+func generateFields(username, password string) []*onepassword.ItemField {
+	fields := []*onepassword.ItemField{
+		{
+			Label: "username",
+			Value: username,
+		},
+		{
+			Label: "password",
+			Value: password,
+		},
+	}
+	return fields
+}
--- a/operator/pkg/onepassword/uuid.go
+++ b/operator/pkg/onepassword/uuid.go
@@ -0,0 +1,20 @@
+package onepassword
+
+// UUIDLength defines the required length of UUIDs
+const UUIDLength = 26
+
+// IsValidClientUUID returns true if the given client uuid is valid.
+func IsValidClientUUID(uuid string) bool {
+	if len(uuid) != UUIDLength {
+		return false
+	}
+
+	for _, c := range uuid {
+		valid := (c >= 'a' && c <= 'z') || (c >= '0' && c <= '9')
+		if !valid {
+			return false
+		}
+	}
+
+	return true
+}
--- a/operator/pkg/onepassword/volumes.go
+++ b/operator/pkg/onepassword/volumes.go
@@ -0,0 +1,29 @@
+package onepassword
+
+import corev1 "k8s.io/api/core/v1"
+
+func AreVolumesUsingSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret) bool {
+	for i := 0; i < len(volumes); i++ {
+		if secret := volumes[i].Secret; secret != nil {
+			secretName := secret.SecretName
+			_, ok := secrets[secretName]
+			if ok {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func AppendUpdatedVolumeSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
+	for i := 0; i < len(volumes); i++ {
+		if secret := volumes[i].Secret; secret != nil {
+			secretName := secret.SecretName
+			secret, ok := secrets[secretName]
+			if ok {
+				updatedDeploymentSecrets[secret.Name] = secret
+			}
+		}
+	}
+	return updatedDeploymentSecrets
+}
--- a/operator/pkg/onepassword/volumes_test.go
+++ b/operator/pkg/onepassword/volumes_test.go
@@ -0,0 +1,43 @@
+package onepassword
+
+import (
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestAreVolmesUsingSecrets(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-api-key":         &corev1.Secret{},
+	}
+
+	volumeSecretNames := []string{
+		"onepassword-database-secret",
+		"onepassword-api-key",
+		"some_other_key",
+	}
+
+	volumes := generateVolumes(volumeSecretNames)
+
+	if !AreVolumesUsingSecrets(volumes, secretNamesToSearch) {
+		t.Errorf("Expected that volumes were using secrets but they were not detected.")
+	}
+}
+
+func TestAreVolumesNotUsingSecrets(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-api-key":         &corev1.Secret{},
+	}
+
+	volumeSecretNames := []string{
+		"some_other_key",
+	}
+
+	volumes := generateVolumes(volumeSecretNames)
+
+	if AreVolumesUsingSecrets(volumes, secretNamesToSearch) {
+		t.Errorf("Expected that volumes were not using secrets but they were detected.")
+	}
+}
--- a/operator/pkg/utils/string.go
+++ b/operator/pkg/utils/string.go
@@ -0,0 +1,33 @@
+package utils
+
+import (
+	"strconv"
+	"strings"
+)
+
+func ContainsString(slice []string, s string) bool {
+	for _, item := range slice {
+		if item == s {
+			return true
+		}
+	}
+	return false
+}
+
+func RemoveString(slice []string, s string) (result []string) {
+	for _, item := range slice {
+		if item == s {
+			continue
+		}
+		result = append(result, item)
+	}
+	return
+}
+
+func StringToBool(str string) (bool, error) {
+	restartDeploymentBool, err := strconv.ParseBool(strings.ToLower(str))
+	if err != nil {
+		return false, err
+	}
+	return restartDeploymentBool, nil
+}
--- a/operator/version/version.go
+++ b/operator/version/version.go
@@ -0,0 +1,5 @@
+package version
+
+var (
+	Version = "0.0.1"
+)