Updating path for fetching 1password items to be of the op:// reference format

2025-10-22 07:28:06 +00:00 · 2021-09-13 10:33:34 -03:00
17 changed files with 130 additions and 117 deletions
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes with 1Password. This Operator manages `OnePasswordItem` Custom Resource Definitions (CRDs) that define the location of an Item stored in 1Password. The `OnePasswordItem` CRD, when created, will be used to compose a Kubernetes Secret containing the contents of the specified item.

-The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Path on a deployment.
+The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Reference on a deployment.

 The 1Password Connect Kubernetes Operator will continually check for updates from 1Password for any Kubernetes Secret that it has generated. If a Kubernetes Secret is updated, any Deployment using that secret can be automatically restarted.

@@ -106,7 +106,7 @@ kind: OnePasswordItem
 metadata:
  name: <item_name> #this name will also be used for naming the generated kubernetes secret
 spec:
-  itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>" 
+  itemReference: "op://<vault_id_or_title>/<item_id_or_title>" 
 ```

 Deploy the OnePasswordItem to Kubernetes:
@@ -131,20 +131,20 @@ kind: Deployment
 metadata:
  name: deployment-example
  annotations:
-    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
+    operator.1password.io/item-reference: "op://<vault>/<item>"
    operator.1password.io/item-name: "<secret_name>"
 ```

-Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
+Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Reference.

-Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-path` and `operator.1password.io/item-name` and no other deployment is using the secret.
+Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-reference` and `operator.1password.io/item-name` and no other deployment is using the secret.

 If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag `operator.1password.io:ignore-secret` to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.

 ---
 **NOTE**

-If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. 
+If multiple 1Password vaults/items have the same `title` when using a title in the access reference, the desired action will be performed on the oldest vault/item. 

 Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
 - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -178,7 +178,8 @@ func main() {
 				ticker.Stop()
 				return
 			case <-ticker.C:
-				updatedSecretsPoller.UpdateKubernetesSecretsTask()
+				err := updatedSecretsPoller.UpdateKubernetesSecretsTask()
+				log.Error(err, "Error occured during update secret task")
 			}
 		}
 	}()
--- a/deploy/crds/onepassword.com_onepassworditems_crd.yaml
+++ b/deploy/crds/onepassword.com_onepassworditems_crd.yaml
@@ -33,7 +33,7 @@ spec:
          spec:
            description: OnePasswordItemSpec defines the desired state of OnePasswordItem
            properties:
-              itemPath:
+              itemReference:
                type: string
            type: object
          status:
--- a/deploy/crds/onepassword.com_v1_onepassworditem_cr.yaml
+++ b/deploy/crds/onepassword.com_v1_onepassworditem_cr.yaml
@@ -3,4 +3,4 @@ kind: OnePasswordItem
 metadata:
  name: example
 spec:
-  itemPath: "vaults/<vault_id>/items/<item_id>"
+  itemReference: "op://<vault_id>/<item_id>"
--- a/deploy/operator.yaml
+++ b/deploy/operator.yaml
@@ -16,6 +16,7 @@ spec:
      containers:
        - name: onepassword-connect-operator
          image: 1password/onepassword-operator
+          imagePullPolicy: Never
          command: ["/manager"]
          env:
            - name: WATCH_NAMESPACE
--- a/pkg/apis/onepassword/v1/onepasswordsecret_types.go
+++ b/pkg/apis/onepassword/v1/onepasswordsecret_types.go
@@ -8,7 +8,7 @@ import (

 // OnePasswordItemSpec defines the desired state of OnePasswordItem
 type OnePasswordItemSpec struct {
-	ItemPath string `json:"itemPath,omitempty"`
+	ItemReference string `json:"itemReference,omitempty"`
 }

 // OnePasswordItemStatus defines the observed state of OnePasswordItem
--- a/pkg/controller/deployment/deployment_controller.go
+++ b/pkg/controller/deployment/deployment_controller.go
@@ -192,11 +192,11 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat

 	secretName := annotations[op.NameAnnotation]
 	if len(secretName) == 0 {
-		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
+		reqLog.Info("No 'item-name' annotation set. 'item-reference' and 'item-name' must be set as annotations to add new secret.")
 		return nil
 	}

-	item, err := op.GetOnePasswordItemByPath(r.opConnectClient, annotations[op.ItemPathAnnotation])
+	item, err := op.GetOnePasswordItemByReference(r.opConnectClient, annotations[op.ItemReferenceAnnotation])
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
--- a/pkg/controller/deployment/deployment_controller_test.go
+++ b/pkg/controller/deployment/deployment_controller_test.go
@@ -52,7 +52,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	ItemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )

 var (
@@ -76,7 +76,7 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
+					op.ItemReferenceAnnotation: ItemReference,
 					op.NameAnnotation:          name,
 				},
 			},
@@ -90,7 +90,7 @@ var tests = []testReconcileItem{
 				Name:      "another-deployment",
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
+					op.ItemReferenceAnnotation: ItemReference,
 					op.NameAnnotation:          name,
 				},
 			},
@@ -152,7 +152,7 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
+					op.ItemReferenceAnnotation: ItemReference,
 					op.NameAnnotation:          name,
 				},
 			},
@@ -166,7 +166,7 @@ var tests = []testReconcileItem{
 				Name:      "another-deployment",
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
+					op.ItemReferenceAnnotation: ItemReference,
 					op.NameAnnotation:          name,
 				},
 			},
@@ -235,7 +235,7 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
+					op.ItemReferenceAnnotation: ItemReference,
 					op.NameAnnotation:          name,
 				},
 			},
@@ -268,7 +268,7 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
+					op.ItemReferenceAnnotation: ItemReference,
 					op.NameAnnotation:          name,
 				},
 			},
@@ -310,7 +310,7 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
+					op.ItemReferenceAnnotation: ItemReference,
 					op.NameAnnotation:          name,
 				},
 			},
@@ -352,7 +352,7 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
+					op.ItemReferenceAnnotation: ItemReference,
 					op.NameAnnotation:          name,
 				},
 			},
--- a/pkg/controller/onepassworditem/onepassworditem_controller.go
+++ b/pkg/controller/onepassworditem/onepassworditem_controller.go
@@ -3,6 +3,7 @@ package onepassworditem
 import (
 	"context"
 	"fmt"
+
 	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
 	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
 	"github.com/1Password/onepassword-operator/pkg/onepassword"
@@ -145,7 +146,7 @@ func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1
 	secretName := resource.GetName()
 	autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation]

-	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
+	item, err := onepassword.GetOnePasswordItemByReference(r.opConnectClient, resource.Spec.ItemReference)
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
--- a/pkg/controller/onepassworditem/onepassworditem_test.go
+++ b/pkg/controller/onepassworditem/onepassworditem_test.go
@@ -55,7 +55,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	itemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )

 var (
@@ -79,7 +79,7 @@ var tests = []testReconcileItem{
 				},
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -111,7 +111,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -152,7 +152,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -193,7 +193,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: nil,
@@ -225,7 +225,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: nil,
@@ -257,7 +257,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: nil,
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -23,7 +23,7 @@ const OnepasswordPrefix = "operator.1password.io"
 const NameAnnotation = OnepasswordPrefix + "/item-name"
 const VersionAnnotation = OnepasswordPrefix + "/item-version"
 const restartAnnotation = OnepasswordPrefix + "/last-restarted"
-const ItemPathAnnotation = OnepasswordPrefix + "/item-path"
+const ItemReferenceAnnotation = OnepasswordPrefix + "/item-reference"
 const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"

 var log = logf.Log
@@ -33,7 +33,7 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 	itemVersion := fmt.Sprint(item.Version)
 	annotations := map[string]string{
 		VersionAnnotation:       itemVersion,
-		ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID),
+		ItemReferenceAnnotation: fmt.Sprintf("op://%v/%v", item.Vault.ID, item.ID),
 	}
 	if autoRestart != "" {
 		_, err := utils.StringToBool(autoRestart)
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -3,10 +3,11 @@ package kubernetessecrets
 import (
 	"context"
 	"fmt"
-	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"strings"
 	"testing"

+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -42,7 +43,7 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 		t.Errorf("Secret was not created: %v", err)
 	}
 	compareFields(item.Fields, createdSecret.Data, t)
-	compareAnnotationsToItem(createdSecret.Annotations, item, t)
+	compareAnnotationsToItem(item.Vault.ID, item.ID, createdSecret.Annotations, item, t)
 }

 func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
@@ -78,7 +79,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 		t.Errorf("Secret was not found: %v", err)
 	}
 	compareFields(newItem.Fields, updatedSecret.Data, t)
-	compareAnnotationsToItem(updatedSecret.Annotations, newItem, t)
+	compareAnnotationsToItem(newItem.Vault.ID, newItem.ID, updatedSecret.Annotations, newItem, t)
 }
 func TestBuildKubernetesSecretData(t *testing.T) {
 	fields := generateFields(5)
@@ -152,11 +153,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 	}
 }

-func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
-	actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
-	if err != nil {
-		t.Errorf("Was unable to parse Item Path")
-	}
+func compareAnnotationsToItem(actualVaultId, actualItemId string, annotations map[string]string, item onepassword.Item, t *testing.T) {
 	if actualVaultId != item.Vault.ID {
 		t.Errorf("Expected annotation vault id to be %v but was %v", item.Vault.ID, actualVaultId)
 	}
@@ -196,14 +193,6 @@ func generateFields(numToGenerate int) []*onepassword.ItemField {
 	return fields
 }

-func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
-	splitPath := strings.Split(path, "/")
-	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
-		return splitPath[1], splitPath[3], nil
-	}
-	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
-}
-
 func validLabel(v string) bool {
 	if err := kubeValidate.IsDNS1123Subdomain(v); len(err) > 0 {
 		return false
--- a/pkg/onepassword/annotations.go
+++ b/pkg/onepassword/annotations.go
@@ -9,7 +9,7 @@ import (

 const (
 	OnepasswordPrefix            = "operator.1password.io"
-	ItemPathAnnotation           = OnepasswordPrefix + "/item-path"
+	ItemReferenceAnnotation      = OnepasswordPrefix + "/item-reference"
 	NameAnnotation               = OnepasswordPrefix + "/item-name"
 	VersionAnnotation            = OnepasswordPrefix + "/item-version"
 	RestartAnnotation            = OnepasswordPrefix + "/last-restarted"
--- a/pkg/onepassword/annotations_test.go
+++ b/pkg/onepassword/annotations_test.go
@@ -22,7 +22,7 @@ func TestFilterAnnotations(t *testing.T) {
 	if len(filteredAnnotations) != 2 {
 		t.Errorf("Unexpected number of filtered annotations returned. Expected 2, got %v", len(filteredAnnotations))
 	}
-	_, found := filteredAnnotations[ItemPathAnnotation]
+	_, found := filteredAnnotations[ItemReferenceAnnotation]
 	if !found {
 		t.Errorf("One Password Annotation was filtered when it should not have been")
 	}
@@ -87,7 +87,7 @@ func TestGetNoAnnotationsForDeployment(t *testing.T) {

 func getValidAnnotations() map[string]string {
 	return map[string]string{
-		ItemPathAnnotation: "vaults/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f/items/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f",
+		ItemReferenceAnnotation: "op://b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f",
 		NameAnnotation:          "secretName",
 	}
 }
--- a/pkg/onepassword/items.go
+++ b/pkg/onepassword/items.go
@@ -11,11 +11,16 @@ import (

 var logger = logf.Log.WithName("retrieve_item")

-func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*onepassword.Item, error) {
-	vaultValue, itemValue, err := ParseVaultAndItemFromPath(path)
+const (
+	secretReferencePrefix = "op://"
+)
+
+func GetOnePasswordItemByReference(opConnectClient connect.Client, reference string) (*onepassword.Item, error) {
+	vaultValue, itemValue, err := ParseReference(reference)
 	if err != nil {
 		return nil, err
 	}
+
 	vaultId, err := getVaultId(opConnectClient, vaultValue)
 	if err != nil {
 		return nil, err
@@ -33,12 +38,28 @@ func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*one
 	return item, nil
 }

-func ParseVaultAndItemFromPath(path string) (string, string, error) {
-	splitPath := strings.Split(path, "/")
-	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
-		return splitPath[1], splitPath[3], nil
+func ParseReference(reference string) (string, string, error) {
+	if !strings.HasPrefix(reference, secretReferencePrefix) {
+		return "", "", fmt.Errorf("secret reference should start with `op://`")
 	}
-	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
+	path := strings.TrimPrefix(reference, secretReferencePrefix)
+
+	splitPath := strings.Split(path, "/")
+	if len(splitPath) != 2 {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Secret references should match op://<vault>/<item>", reference)
+	}
+
+	vault := splitPath[0]
+	if vault == "" {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Vault can't be empty.", reference)
+	}
+
+	item := splitPath[1]
+	if item == "" {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Item can't be empty.", reference)
+	}
+
+	return vault, item, nil
 }

 func getVaultId(client connect.Client, vaultIdentifier string) (string, error) {
--- a/pkg/onepassword/secret_update_handler.go
+++ b/pkg/onepassword/secret_update_handler.go
@@ -110,13 +110,13 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 	for i := 0; i < len(secrets.Items); i++ {
 		secret := secrets.Items[i]

-		itemPath := secret.Annotations[ItemPathAnnotation]
+		itemReference := secret.Annotations[ItemReferenceAnnotation]
 		currentVersion := secret.Annotations[VersionAnnotation]
-		if len(itemPath) == 0 || len(currentVersion) == 0 {
+		if len(itemReference) == 0 || len(currentVersion) == 0 {
 			continue
 		}

-		item, err := GetOnePasswordItemByPath(h.opConnectClient, secret.Annotations[ItemPathAnnotation])
+		item, err := GetOnePasswordItemByReference(h.opConnectClient, secret.Annotations[ItemReferenceAnnotation])
 		if err != nil {
 			return nil, fmt.Errorf("Failed to retrieve item: %v", err)
 		}
--- a/pkg/onepassword/secret_update_handler_test.go
+++ b/pkg/onepassword/secret_update_handler_test.go
@@ -51,7 +51,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	itemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )

 var defaultNamespace = &corev1.Namespace{
@@ -74,7 +74,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					NameAnnotation:          "unlrelated secret",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 		},
@@ -84,7 +84,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       "old version",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -96,7 +96,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -150,7 +150,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       "old version",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -162,7 +162,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -186,7 +186,7 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 					NameAnnotation:          name,
 				},
 			},
@@ -197,7 +197,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       "old version",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -209,7 +209,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -256,7 +256,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       "old version",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -268,7 +268,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -292,7 +292,7 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 					NameAnnotation:          name,
 				},
 			},
@@ -303,7 +303,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -315,7 +315,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -370,7 +370,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       "old version",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -382,7 +382,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -439,7 +439,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            "old version",
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "true",
 				},
 			},
@@ -452,7 +452,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            fmt.Sprint(itemVersion),
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "true",
 				},
 			},
@@ -510,7 +510,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            "old version",
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "false",
 				},
 			},
@@ -523,7 +523,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            fmt.Sprint(itemVersion),
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "false",
 				},
 			},
@@ -581,7 +581,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       "old version",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -593,7 +593,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -658,7 +658,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       "old version",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -670,7 +670,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -731,7 +731,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       "old version",
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -743,7 +743,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:       fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,