Upgrading connect deployment version to 1.2.0

2025-10-23 16:00:46 +00:00 · 2021-05-26 10:23:07 -03:00
20 changed files with 63 additions and 442 deletions
--- a/.VERSION
+++ b/.VERSION
@@ -1 +1 @@
-1.1.0
+v1.0.1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,22 +12,6 @@

 ---

-[//]: # (START/v1.1.0)
-# v1.1.0
-
-## Fixes
- * Fix normalization for keys in a Secret's `data` section to allow upper- and lower-case alphanumeric characters. {#66}
-
---
-
-[//]: # (START/v1.0.2)
-# v1.0.2
-
-## Fixes
- * Name normalizer added to handle non-conforming item names.
-
---
-
 [//]: # (START/v1.0.1)
 # v1.0.1

--- a/4
+++ b/4
@@ -20,12 +20,12 @@ test/coverage:	## Run test suite with coverage report
 	go test -v ./... -cover

 build:	## Build operator Docker image
-	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG) .
+	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG)
 	@echo "Successfully built and tagged image."
 	@echo "Tag: $(DOCKER_IMG_TAG)"

 build/local:	## Build local version of the operator Docker image
-	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG) .
+	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG)

 build/binary: clean	## Build operator binary
 	@mkdir -p dist
--- a/README.md
+++ b/README.md
@@ -84,9 +84,9 @@ An sample Deployment yaml can be found at `/deploy/operator.yaml`.

 To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:

+- **WATCH_NAMESPACE:** comma separated list of what Namespaces to watch for changes.
 - **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
- **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
+- **POLLING_INTERVAL** (default: 600)**:** The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
 - **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
 - **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.

@@ -144,12 +144,7 @@ If a 1Password Item that is linked to a Kubernetes Secret is updated within the
 ---
 **NOTE**

-If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. 
-
-Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
- - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
- - All whitespaces between words will be replaced by `-`
- - All the letters will be lower-cased.
+If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. Furthermore, titles that include white space characters cannot be used.

 ---

--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -83,11 +83,9 @@ func main() {

 	printVersion()

-	namespace := os.Getenv(k8sutil.WatchNamespaceEnvVar)
-
-	deploymentNamespace, err := k8sutil.GetOperatorNamespace()
+	namespace, err := k8sutil.GetWatchNamespace()
 	if err != nil {
-		log.Error(err, "Failed to get namespace")
+		log.Error(err, "Failed to get watch namespace")
 		os.Exit(1)
 	}

@@ -141,7 +139,7 @@ func main() {
 		go func() {
 			connectStarted := false
 			for connectStarted == false {
-				err := op.SetupConnect(mgr.GetClient(), deploymentNamespace)
+				err := op.SetupConnect(mgr.GetClient())
 				// Cache Not Started is an acceptable error. Retry until cache is started.
 				if err != nil && !errors.Is(err, &cache.ErrCacheNotStarted{}) {
 					log.Error(err, "")
--- a/deploy/connect/deployment.yaml
+++ b/deploy/connect/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: onepassword-connect
+  namespace: default
 spec:
  selector:
    matchLabels:
@@ -10,7 +11,7 @@ spec:
    metadata:
      labels:
        app: onepassword-connect
-        version: "1.0.0"
+        version: "1.2.0"
    spec:
      volumes:
        - name: shared-data
--- a/deploy/connect/service.yaml
+++ b/deploy/connect/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: onepassword-connect
+  namespace: default
 spec:
  type: NodePort
  selector:
--- a/pkg/controller/deployment/deployment_controller.go
+++ b/pkg/controller/deployment/deployment_controller.go
@@ -191,7 +191,6 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
 	reqLog := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)

 	secretName := annotations[op.NameAnnotation]
-	secretLabels := map[string]string(nil)
 	if len(secretName) == 0 {
 		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
 		return nil
@@ -202,5 +201,5 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}

-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, annotations)
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation])
 }
--- a/pkg/controller/deployment/deployment_controller_test.go
+++ b/pkg/controller/deployment/deployment_controller_test.go
@@ -258,7 +258,7 @@ var tests = []testReconcileItem{
 		},
 	},
 	{
-		testName: "Test Do not update if Annotations have not changed",
+		testName: "Test Do not update if OnePassword Item Version has not changed",
 		deploymentResource: &appsv1.Deployment{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       deploymentKind,
@@ -271,7 +271,6 @@ var tests = []testReconcileItem{
 					op.ItemPathAnnotation: itemPath,
 					op.NameAnnotation:     name,
 				},
-				Labels: map[string]string{},
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -280,8 +279,6 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
 				},
 			},
 			Data: expectedSecretData,
@@ -293,10 +290,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
 				},
-				Labels: map[string]string(nil),
 			},
 			Data: expectedSecretData,
 		},
--- a/pkg/controller/onepassworditem/onepassworditem_controller.go
+++ b/pkg/controller/onepassworditem/onepassworditem_controller.go
@@ -3,6 +3,7 @@ package onepassworditem
 import (
 	"context"
 	"fmt"
+
 	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
 	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
 	"github.com/1Password/onepassword-operator/pkg/onepassword"
@@ -143,14 +144,12 @@ func (r *ReconcileOnePasswordItem) removeOnePasswordFinalizerFromOnePasswordItem

 func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1.OnePasswordItem, request reconcile.Request) error {
 	secretName := resource.GetName()
-	labels := resource.Labels
-	annotations := resource.Annotations
-	autoRestart := annotations[op.RestartDeploymentsAnnotation]
+	autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation]

 	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}

-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart, labels, annotations)
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart)
 }
--- a/pkg/controller/onepassworditem/onepassworditem_test.go
+++ b/pkg/controller/onepassworditem/onepassworditem_test.go
@@ -31,9 +31,6 @@ const (
 	itemId                    = "nwrhuano7bcwddcviubpp4mhfq"
 	username                  = "test-user"
 	password                  = "QmHumKc$mUeEem7caHtbaBaJ"
-	firstHost                 = "http://localhost:8080"
-	awsKey                    = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-	iceCream                  = "freezing blue 20%"
 	userKey                   = "username"
 	passKey                   = "password"
 	version                   = 123
@@ -120,7 +117,6 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
 				},
 			},
 			Data: expectedSecretData,
@@ -132,7 +128,6 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
 				},
 			},
 			Data: expectedSecretData,
@@ -152,11 +147,6 @@ var tests = []testReconcileItem{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
-				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
-				},
-				Labels: map[string]string{},
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
 				ItemPath: itemPath,
@@ -168,9 +158,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: "456",
-					op.ItemPathAnnotation: itemPath,
 				},
-				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -181,9 +169,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
 				},
-				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -224,120 +210,6 @@ var tests = []testReconcileItem{
 			passKey: password,
 		},
 	},
-	{
-		testName: "Secret from 1Password item with invalid K8s labels",
-		customResource: &onepasswordv1.OnePasswordItem{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       onePasswordItemKind,
-				APIVersion: onePasswordItemAPIVersion,
-			},
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "!my sECReT it3m%",
-				Namespace: namespace,
-			},
-			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
-			},
-		},
-		existingSecret: nil,
-		expectedError:  nil,
-		expectedResultSecret: &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "my-secret-it3m",
-				Namespace: namespace,
-				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
-				},
-			},
-			Data: expectedSecretData,
-		},
-		opItem: map[string]string{
-			userKey: username,
-			passKey: password,
-		},
-	},
-	{
-		testName: "Secret from 1Password item with fields and sections that have invalid K8s labels",
-		customResource: &onepasswordv1.OnePasswordItem{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       onePasswordItemKind,
-				APIVersion: onePasswordItemAPIVersion,
-			},
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "!my sECReT it3m%",
-				Namespace: namespace,
-			},
-			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
-			},
-		},
-		existingSecret: nil,
-		expectedError:  nil,
-		expectedResultSecret: &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "my-secret-it3m",
-				Namespace: namespace,
-				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
-				},
-			},
-			Data: map[string][]byte{
-				"password":       []byte(password),
-				"username":       []byte(username),
-				"first-host":     []byte(firstHost),
-				"AWS-Access-Key": []byte(awsKey),
-				"ice-cream-type": []byte(iceCream),
-			},
-		},
-		opItem: map[string]string{
-			userKey:            username,
-			passKey:            password,
-			"first host":       firstHost,
-			"AWS Access Key":   awsKey,
-			"😄 ice-cream type": iceCream,
-		},
-	},
-	{
-		testName: "Secret from 1Password item with `-`, `_` and `.`",
-		customResource: &onepasswordv1.OnePasswordItem{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       onePasswordItemKind,
-				APIVersion: onePasswordItemAPIVersion,
-			},
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "!.my_sECReT.it3m%-_",
-				Namespace: namespace,
-			},
-			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
-			},
-		},
-		existingSecret: nil,
-		expectedError:  nil,
-		expectedResultSecret: &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "my-secret.it3m",
-				Namespace: namespace,
-				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
-				},
-			},
-			Data: map[string][]byte{
-				"password":          []byte(password),
-				"username":          []byte(username),
-				"first-host":        []byte(firstHost),
-				"AWS-Access-Key":    []byte(awsKey),
-				"-_ice_cream.type.": []byte(iceCream),
-			},
-		},
-		opItem: map[string]string{
-			userKey:               username,
-			passKey:               password,
-			"first host":          firstHost,
-			"AWS Access Key":      awsKey,
-			"😄 -_ice_cream.type.": iceCream,
-		},
-	},
 }

 func TestReconcileOnePasswordItem(t *testing.T) {
@@ -369,10 +241,7 @@ func TestReconcileOnePasswordItem(t *testing.T) {
 			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {

 				item := onepassword.Item{}
-				item.Fields = []*onepassword.ItemField{}
-				for k, v := range testData.opItem {
-					item.Fields = append(item.Fields, &onepassword.ItemField{Label: k, Value: v})
-				}
+				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
 				item.Version = version
 				item.Vault.ID = vaultUUID
 				item.ID = uuid
@@ -388,8 +257,8 @@ func TestReconcileOnePasswordItem(t *testing.T) {
 			// watched resource .
 			req := reconcile.Request{
 				NamespacedName: types.NamespacedName{
-					Name:      testData.customResource.ObjectMeta.Name,
-					Namespace: testData.customResource.ObjectMeta.Namespace,
+					Name:      name,
+					Namespace: namespace,
 				},
 			}
 			_, err := r.Reconcile(req)
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -4,18 +4,12 @@ import (
 	"context"
 	"fmt"

-	"regexp"
-	"strings"
-
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/1Password/onepassword-operator/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"reflect"
-	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
-
 	kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -29,27 +23,22 @@ const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"

 var log = logf.Log

-func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string, labels map[string]string, secretAnnotations map[string]string) error {
+func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string) error {

 	itemVersion := fmt.Sprint(item.Version)
-
-	// If secretAnnotations is nil we create an empty map so we can later assign values for the OP Annotations in the map
-	if secretAnnotations == nil {
-		secretAnnotations = map[string]string{}
+	annotations := map[string]string{
+		VersionAnnotation:  itemVersion,
+		ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID),
 	}
-
-	secretAnnotations[VersionAnnotation] = itemVersion
-	secretAnnotations[ItemPathAnnotation] = fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID)
-
 	if autoRestart != "" {
 		_, err := utils.StringToBool(autoRestart)
 		if err != nil {
 			log.Error(err, "Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secretName)
 			return err
 		}
-		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
+		annotations[RestartDeploymentsAnnotation] = autoRestart
 	}
-	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, *item)
+	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, annotations, *item)

 	currentSecret := &corev1.Secret{}
 	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
@@ -60,10 +49,9 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 		return err
 	}

-	if ! reflect.DeepEqual(currentSecret.Annotations, secretAnnotations) || ! reflect.DeepEqual(currentSecret.Labels, labels) {
+	if currentSecret.Annotations[VersionAnnotation] != itemVersion {
 		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
-		currentSecret.ObjectMeta.Annotations = secretAnnotations
-		currentSecret.ObjectMeta.Labels = labels
+		currentSecret.ObjectMeta.Annotations = annotations
 		currentSecret.Data = secret.Data
 		return kubeClient.Update(context.Background(), currentSecret)
 	}
@@ -72,13 +60,12 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 	return nil
 }

-func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, item onepassword.Item) *corev1.Secret {
+func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, item onepassword.Item) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        formatSecretName(name),
+			Name:        name,
 			Namespace:   namespace,
 			Annotations: annotations,
-			Labels:      labels,
 		},
 		Data: BuildKubernetesSecretData(item.Fields),
 	}
@@ -88,59 +75,8 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
 	secretData := map[string][]byte{}
 	for i := 0; i < len(fields); i++ {
 		if fields[i].Value != "" {
-			key := formatSecretDataName(fields[i].Label)
-			secretData[key] = []byte(fields[i].Value)
+			secretData[fields[i].Label] = []byte(fields[i].Value)
 		}
 	}
 	return secretData
 }
-
-// formatSecretName rewrites a value to be a valid Secret name.
-//
-// The Secret meta.name and data keys must be valid DNS subdomain names
-// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
-func formatSecretName(value string) string {
-	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
-		return value
-	}
-	return createValidSecretName(value)
-}
-
-// formatSecretDataName rewrites a value to be a valid Secret data key.
-//
-// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
-// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
-func formatSecretDataName(value string) string {
-	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
-		return value
-	}
-	return createValidSecretDataName(value)
-}
-
-var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
-
-func createValidSecretName(value string) string {
-	result := strings.ToLower(value)
-	result = invalidDNS1123Chars.ReplaceAllString(result, "-")
-
-	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
-		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
-	}
-
-	// first and last character MUST be alphanumeric
-	return strings.Trim(result, "-.")
-}
-
-var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
-var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
-
-func createValidSecretDataName(value string) string {
-	result := invalidStartEndChars.ReplaceAllString(value, "")
-	result = invalidDataChars.ReplaceAllString(result, "-")
-
-	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
-		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
-	}
-
-	return result
-}
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -9,7 +9,6 @@ import (
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
-	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -31,11 +30,7 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"

 	kubeClient := fake.NewFakeClient()
-	secretLabels := map[string]string{}
-	secretAnnotations := map[string]string{
-		"testAnnotation": "exists",
-	}
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -47,10 +42,6 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	compareFields(item.Fields, createdSecret.Data, t)
 	compareAnnotationsToItem(createdSecret.Annotations, item, t)
-
-	if createdSecret.Annotations["testAnnotation"] != "exists" {
-		t.Errorf("Expected testAnnotation to be merged with existing annotations, but wasn't.")
-	}
 }

 func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
@@ -64,9 +55,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"

 	kubeClient := fake.NewFakeClient()
-	secretLabels := map[string]string{}
-	secretAnnotations := map[string]string{}
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -77,7 +66,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	newItem.Version = 456
 	newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
 	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
-	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -110,10 +99,9 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	item := onepassword.Item{}
 	item.Fields = generateFields(5)
-	labels := map[string]string{}

-	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, item)
-	if kubeSecret.Name != strings.ToLower(name) {
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
+	if kubeSecret.Name != name {
 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
 	}
 	if kubeSecret.Namespace != namespace {
@@ -125,45 +113,6 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	compareFields(item.Fields, kubeSecret.Data, t)
 }

-func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
-	name := "inV@l1d k8s secret%name"
-	expectedName := "inv-l1d-k8s-secret-name"
-	namespace := "someNamespace"
-	annotations := map[string]string{
-		"annotationKey": "annotationValue",
-	}
-	labels := map[string]string{}
-	item := onepassword.Item{}
-
-	item.Fields = []*onepassword.ItemField{
-		{
-			Label: "label w%th invalid ch!rs-",
-			Value: "value1",
-		},
-		{
-			Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1),
-			Value: "name exceeds max length",
-		},
-	}
-
-	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels,  item)
-
-	// Assert Secret's meta.name was fixed
-	if kubeSecret.Name != expectedName {
-		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
-	}
-	if kubeSecret.Namespace != namespace {
-		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
-	}
-
-	// assert labels were fixed for each data key
-	for key := range kubeSecret.Data {
-		if !validLabel(key) {
-			t.Errorf("Expected valid kubernetes label, got %s", key)
-		}
-	}
-}
-
 func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
 	actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
 	if err != nil {
@@ -215,10 +164,3 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
 	}
 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
 }
-
-func validLabel(v string) bool {
-	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
-		return false
-	}
-	return true
-}
--- a/pkg/onepassword/connect_setup.go
+++ b/pkg/onepassword/connect_setup.go
@@ -2,7 +2,6 @@ package onepassword

 import (
 	"context"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"

 	appsv1 "k8s.io/api/apps/v1"
@@ -18,13 +17,13 @@ var logConnectSetup = logf.Log.WithName("ConnectSetup")
 var deploymentPath = "deploy/connect/deployment.yaml"
 var servicePath = "deploy/connect/service.yaml"

-func SetupConnect(kubeClient client.Client, deploymentNamespace string) error {
-	err := setupService(kubeClient, servicePath, deploymentNamespace)
+func SetupConnect(kubeClient client.Client) error {
+	err := setupService(kubeClient, servicePath)
 	if err != nil {
 		return err
 	}

-	err = setupDeployment(kubeClient, deploymentPath, deploymentNamespace)
+	err = setupDeployment(kubeClient, deploymentPath)
 	if err != nil {
 		return err
 	}
@@ -32,22 +31,22 @@ func SetupConnect(kubeClient client.Client, deploymentNamespace string) error {
 	return nil
 }

-func setupDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
+func setupDeployment(kubeClient client.Client, deploymentPath string) error {
 	existingDeployment := &appsv1.Deployment{}

 	// check if deployment has already been created
-	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingDeployment)
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}, existingDeployment)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			logConnectSetup.Info("No existing Connect deployment found. Creating Deployment")
-			return createDeployment(kubeClient, deploymentPath, deploymentNamespace)
+			return createDeployment(kubeClient, deploymentPath)
 		}
 	}
 	return err
 }

-func createDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
-	deployment, err := getDeploymentToCreate(deploymentPath, deploymentNamespace)
+func createDeployment(kubeClient client.Client, deploymentPath string) error {
+	deployment, err := getDeploymentToCreate(deploymentPath)
 	if err != nil {
 		return err
 	}
@@ -60,16 +59,12 @@ func createDeployment(kubeClient client.Client, deploymentPath string, deploymen
 	return nil
 }

-func getDeploymentToCreate(deploymentPath string, deploymentNamespace string) (*appsv1.Deployment, error) {
+func getDeploymentToCreate(deploymentPath string) (*appsv1.Deployment, error) {
 	f, err := os.Open(deploymentPath)
 	if err != nil {
 		return nil, err
 	}
-	deployment := &appsv1.Deployment{
-		ObjectMeta: v1.ObjectMeta{
-			Namespace: deploymentNamespace,
-		},
-	}
+	deployment := &appsv1.Deployment{}

 	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(deployment)
 	if err != nil {
@@ -78,30 +73,26 @@ func getDeploymentToCreate(deploymentPath string, deploymentNamespace string) (*
 	return deployment, nil
 }

-func setupService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
+func setupService(kubeClient client.Client, servicePath string) error {
 	existingService := &corev1.Service{}

 	//check if service has already been created
-	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingService)
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}, existingService)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			logConnectSetup.Info("No existing Connect service found. Creating Service")
-			return createService(kubeClient, servicePath, deploymentNamespace)
+			return createService(kubeClient, servicePath)
 		}
 	}
 	return err
 }

-func createService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
+func createService(kubeClient client.Client, servicePath string) error {
 	f, err := os.Open(servicePath)
 	if err != nil {
 		return err
 	}
-	service := &corev1.Service{
-		ObjectMeta: v1.ObjectMeta{
-			Namespace: deploymentNamespace,
-		},
-	}
+	service := &corev1.Service{}

 	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(service)
 	if err != nil {
--- a/pkg/onepassword/connect_setup_test.go
+++ b/pkg/onepassword/connect_setup_test.go
@@ -25,7 +25,7 @@ func TestServiceSetup(t *testing.T) {
 	// Create a fake client to mock API calls.
 	client := fake.NewFakeClientWithScheme(s, objs...)

-	err := setupService(client, "../../deploy/connect/service.yaml", defaultNamespacedName.Namespace)
+	err := setupService(client, "../../deploy/connect/service.yaml")

 	if err != nil {
 		t.Errorf("Error Setting Up Connect: %v", err)
@@ -50,7 +50,7 @@ func TestDeploymentSetup(t *testing.T) {
 	// Create a fake client to mock API calls.
 	client := fake.NewFakeClientWithScheme(s, objs...)

-	err := setupDeployment(client, "../../deploy/connect/deployment.yaml", defaultNamespacedName.Namespace)
+	err := setupDeployment(client, "../../deploy/connect/deployment.yaml")

 	if err != nil {
 		t.Errorf("Error Setting Up Connect: %v", err)
--- a/pkg/onepassword/containers.go
+++ b/pkg/onepassword/containers.go
@@ -1,16 +1,11 @@
 package onepassword

-import (
-	corev1 "k8s.io/api/core/v1"
-)
+import corev1 "k8s.io/api/core/v1"

 func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool {
 	for i := 0; i < len(containers); i++ {
 		envVariables := containers[i].Env
-		envVariableNames := map[string]struct{}{}
-
 		for j := 0; j < len(envVariables); j++ {
-			envVariableNames[envVariables[j].Name] = struct{}{}
 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
 				_, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
 				if ok {
@@ -18,19 +13,6 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string
 				}
 			}
 		}
-		envFromVariables := containers[i].EnvFrom
-		for j := 0; j < len(envFromVariables); j++ {
-			if envFromVariables[j].SecretRef != nil {
-				// Skip env variables that will be overwritten by Env
-				if _, ok := envVariableNames[envFromVariables[i].SecretRef.Name]; ok {
-					continue;
-				}
-				_, ok := secrets[envFromVariables[j].SecretRef.Name]
-				if ok {
-					return true
-				}
-			}
-		}
 	}
 	return false
 }
@@ -38,10 +20,7 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string
 func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
 	for i := 0; i < len(containers); i++ {
 		envVariables := containers[i].Env
-		envVariableNames := map[string]struct{}{}
-
 		for j := 0; j < len(envVariables); j++ {
-			envVariableNames[envVariables[j].Name] = struct{}{}
 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
 				secret, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
 				if ok {
@@ -49,19 +28,6 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st
 				}
 			}
 		}
-		envFromVariables := containers[i].EnvFrom
-		for j := 0; j < len(envFromVariables); j++ {
-			if envFromVariables[j].SecretRef != nil {
-				// Skip env variables that will be overwritten by Env
-				if _, ok := envVariableNames[envFromVariables[i].SecretRef.Name]; ok {
-					continue;
-				}
-				secret, ok := secrets[envFromVariables[j].SecretRef.LocalObjectReference.Name]
-				if ok {
-					updatedDeploymentSecrets[secret.Name] = secret
-				}
-			}
-		}
 	}
 	return updatedDeploymentSecrets
 }
--- a/pkg/onepassword/containers_test.go
+++ b/pkg/onepassword/containers_test.go
@@ -4,10 +4,9 @@ import (
 	"testing"

 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-func TestAreContainersUsingSecretsFromEnv(t *testing.T) {
+func TestAreContainersUsingSecrets(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
 		"onepassword-database-secret": &corev1.Secret{},
 		"onepassword-api-key":         &corev1.Secret{},
@@ -19,26 +18,7 @@ func TestAreContainersUsingSecretsFromEnv(t *testing.T) {
 		"some_other_key",
 	}

-	containers := generateContainersWithSecretRefsFromEnv(containerSecretNames)
-
-	if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
-		t.Errorf("Expected that containers were using secrets but they were not detected.")
-	}
-}
-
-func TestAreContainersUsingSecretsFromEnvFrom(t *testing.T) {
-	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": {},
-		"onepassword-api-key":         {},
-	}
-
-	containerSecretNames := []string{
-		"onepassword-database-secret",
-		"onepassword-api-key",
-		"some_other_key",
-	}
-
-	containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames)
+	containers := generateContainers(containerSecretNames)

 	if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
 		t.Errorf("Expected that containers were using secrets but they were not detected.")
@@ -47,39 +27,17 @@ func TestAreContainersUsingSecretsFromEnvFrom(t *testing.T) {

 func TestAreContainersNotUsingSecrets(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": {},
-		"onepassword-api-key":         {},
+		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-api-key":         &corev1.Secret{},
 	}

 	containerSecretNames := []string{
 		"some_other_key",
 	}

-	containers := generateContainersWithSecretRefsFromEnv(containerSecretNames)
+	containers := generateContainers(containerSecretNames)

 	if AreContainersUsingSecrets(containers, secretNamesToSearch) {
 		t.Errorf("Expected that containers were not using secrets but they were detected.")
 	}
 }
-
-func TestAppendUpdatedContainerSecretsParsesEnvFromEnv(t *testing.T) {
-	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": {},
-		"onepassword-api-key":         {ObjectMeta: metav1.ObjectMeta{Name: "onepassword-api-key"}},
-	}
-
-	containerSecretNames := []string{
-		"onepassword-api-key",
-	}
-
-	containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames)
-
-	updatedDeploymentSecrets := map[string]*corev1.Secret{}
-	updatedDeploymentSecrets = AppendUpdatedContainerSecrets(containers, secretNamesToSearch, updatedDeploymentSecrets)
-
-	secretKeyName := "onepassword-api-key"
-
-	if updatedDeploymentSecrets[secretKeyName] != secretNamesToSearch[secretKeyName] {
-		t.Errorf("Expected that updated Secret from envfrom is found.")
-	}
-}
--- a/pkg/onepassword/deployments_test.go
+++ b/pkg/onepassword/deployments_test.go
@@ -39,7 +39,7 @@ func TestIsDeploymentUsingSecretsUsingContainers(t *testing.T) {
 	}

 	deployment := &appsv1.Deployment{}
-	deployment.Spec.Template.Spec.Containers = generateContainersWithSecretRefsFromEnv(containerSecretNames)
+	deployment.Spec.Template.Spec.Containers = generateContainers(containerSecretNames)
 	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
 		t.Errorf("Expected that deployment was using secrets but they were not detected.")
 	}
--- a/pkg/onepassword/object_generators_for_test.go
+++ b/pkg/onepassword/object_generators_for_test.go
@@ -17,7 +17,8 @@ func generateVolumes(names []string) []corev1.Volume {
 	}
 	return volumes
 }
-func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container {
+
+func generateContainers(names []string) []corev1.Container {
 	containers := []corev1.Container{}
 	for i := 0; i < len(names); i++ {
 		container := corev1.Container{
@@ -39,16 +40,3 @@ func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container
 	}
 	return containers
 }
-
-func generateContainersWithSecretRefsFromEnvFrom(names []string) []corev1.Container {
-	containers := []corev1.Container{}
-	for i := 0; i < len(names); i++ {
-		container := corev1.Container{
-			EnvFrom: []corev1.EnvFromSource{
-				{SecretRef: &corev1.SecretEnvSource{LocalObjectReference: corev1.LocalObjectReference{Name: names[i]}}},
-			},
-		}
-		containers = append(containers, container)
-	}
-	return containers
-}
--- a/pkg/onepassword/secret_update_handler.go
+++ b/pkg/onepassword/secret_update_handler.go
@@ -131,7 +131,7 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 			}
 			log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
 			secret.Annotations[VersionAnnotation] = itemVersion
-			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, secret.Labels, *item)
+			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, *item)
 			h.client.Update(context.Background(), updatedSecret)
 			if updatedSecrets[secret.Namespace] == nil {
 				updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret)
@@ -1 +1 @@
 .1.0
 v1.0.1