Skip shadowed env variables

cleanup comments
Verify secrets and FromEnv in addition to Env
2025-10-22 15:38:06 +00:00 · 2022-02-17 17:49:28 +01:00 · 2021-09-24 14:02:46 -04:00 · 2021-09-24 13:51:05 -04:00 · 2021-09-23 11:21:16 -07:00 · 2021-09-23 11:18:53 -07:00
25 changed files with 583 additions and 89 deletions
--- a/.VERSION
+++ b/.VERSION
@@ -1 +1 @@
-v1.0.0
+1.1.0
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,36 @@
 ---
 name: Bug report
 about: Report bugs and errors found while using the Operator.
 title: ''
 labels: bug
 assignees: ''
 ---
 ### Your environment
 <!-- Version of the Operator when the error occurred -->
 Operator Version:
 <!-- What version of the Connect server are you running?
 You can get this information from the Integrations section in 1Password
 https://start.1password.com/integrations/active
 -->
 Connect Server Version:
 <!-- What version of Kubernetes have you deployed the operator to? -->
 Kubernetes Version:
 ## What happened?
 <!-- Describe the bug or error -->
 ## What did you expect to happen?
 <!-- Describe what should have happened -->
 ## Steps to reproduce
 1. <!-- Describe Steps to reproduce the issue -->
 ## Notes & Logs
 <!-- Paste any logs here that may help with debugging.
 Remember to remove any sensitive information before sharing! -->
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,9 @@
 # docs: https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
 blank_issues_enabled: true
 contact_links:
  - name: 1Password Community
    url: https://1password.community/categories/secrets-automation
    about: Please ask general Secrets Automation questions here.
  - name: 1Password Security Bug Bounty
    url: https://bugcrowd.com/agilebits
    about: Please report security vulnerabilities here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,32 @@
 ---
 name: Feature request
 about: Suggest an idea for the Operator
 title: ''
 labels: feature-request
 assignees: ''
 ---
 ### Summary
 <!-- Briefly describe the feature in one or two sentences. You can include more details later. -->
 ### Use cases
 <!-- Describe the use cases that make this feature useful to others.
 The description should help the reader understand why the feature is necessary.
 The better we understand your use case, the better we can help create an appropriate solution. -->
 ### Proposed solution
 <!-- If you already have an idea for how the feature should work, use this space to describe it.
 We'll work with you to find a workable approach, and any implementation details are appreciated.
 -->
 ### Is there a workaround to accomplish this today?
 <!-- If there's a way to accomplish this feature request without changes to the codebase, we'd like to hear it.
 -->
 ### References & Prior Work
 <!-- If a similar feature was implemented in another project or tool, add a link so we can better understand your request.
 Links to relevant documentation or RFCs are also appreciated. -->
 * <!-- Reference 1 -->
 * <!-- Reference 2, etc -->
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,13 +1,15 @@
-name: goreleaser
+name: release
 on:
  push:
    tags:
-      - '*'
+      - 'v*'
 jobs:
-  goreleaser:
+  release-docker:
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
      -
        name: Checkout
@@ -15,15 +17,41 @@ jobs:
        with:
          fetch-depth: 0
      -
-        name: Set up Go
+        name: Docker meta
-        uses: actions/setup-go@v2
+        id: meta
        uses: crazy-max/ghaction-docker-meta@v2
        with:
-          go-version: 1.15
+          images: |
            1password/onepassword-operator
          # Publish image for x.y.z and x.y
          # The latest tag is automatically added for semver tags
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
      - name: Get the version from tag
        id: get_version
        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/v}
      -
-        name: Run GoReleaser
+        name: Set up QEMU
-        uses: goreleaser/goreleaser-action@v2
+        uses: docker/setup-qemu-action@v1
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      -
        name: Docker Login
        uses: docker/login-action@v1
        with:
-          version: latest
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          args: release --rm-dist
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
-        env:
+      -
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        name: Build and push
        uses: docker/build-push-action@v2
        with:
          context: .
          file: Dockerfile
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            operator_version=${{ steps.get_version.outputs.VERSION }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,31 @@
 ---
 [//]: # (START/v1.1.0)
 # v1.1.0
 ## Fixes
 * Fix normalization for keys in a Secret's `data` section to allow upper- and lower-case alphanumeric characters. {#66}
 ---
 [//]: # (START/v1.0.2)
 # v1.0.2
 ## Fixes
 * Name normalizer added to handle non-conforming item names.
 ---
 [//]: # (START/v1.0.1)
 # v1.0.1
 ## Features
 * This release also contains an arm64 Docker image. {#20}
 * Docker images are also pushed to the :latest and :<major>.<minor> tags.
 ---
 [//]: # (START/v1.0.0)
 # v1.0.0
--- a/4
+++ b/4
@@ -14,11 +14,9 @@ COPY vendor/ vendor/
 # Build
 ARG operator_version=dev
 RUN CGO_ENABLED=0 \
    GOOS=linux \
    GOARCH=amd64 \
    GO111MODULE=on \
    go build \
-    -ldflags "-X version.Version=$operator_version" \
+    -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \
    -mod vendor \
    -a -o manager main.go
--- a/4
+++ b/4
@@ -20,12 +20,12 @@ test/coverage:	## Run test suite with coverage report
 	go test -v ./... -cover
 build:	## Build operator Docker image
-	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG)
+	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG) .
 	@echo "Successfully built and tagged image."
 	@echo "Tag: $(DOCKER_IMG_TAG)"
 build/local:	## Build local version of the operator Docker image
-	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG)
+	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG) .
 build/binary: clean	## Build operator binary
 	@mkdir -p dist
--- a/README.md
+++ b/README.md
@@ -13,8 +13,8 @@ Prerequisites:
 - [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
 - [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 - [docker installed](https://docs.docker.com/get-docker/)
- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.b5dev.com/cs/connect)
+- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.1password.com/secrets-automation/)
- [1Password Connect deployed to Kubernetes](https://support.b5dev.com/cs/connect-deploy-kubernetes/#step-2-deploy-a-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
+- [1Password Connect deployed to Kubernetes](https://support.1password.com/connect-deploy-kubernetes/#step-2-deploy-a-1password-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
 ### Quickstart for Deploying 1Password Connect to Kubernetes
@@ -53,15 +53,15 @@ Adding this environment variable will have the operator automatically deploy a d
 "Create a Connect token for the operator and save it as a Kubernetes Secret: 
 ```bash
-$ kubectl create secret generic op-operator-connect-token --from-literal=token=<OP_CONNECT_TOKEN>"
+$ kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"
 ```
 If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:
 ```bash
-$ kubectl create secret generic op-operator-connect-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
+$ kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
 ```
-[More information on generating a token can be found here](https://support.1password.com/cs/secrets-automation/#appendix-issue-additional-access-tokens)
+[More information on generating a token can be found here](https://support.1password.com/secrets-automation/#appendix-issue-additional-access-tokens)
 **Set Permissions For Operator**
@@ -84,9 +84,9 @@ An sample Deployment yaml can be found at `/deploy/operator.yaml`.
 To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:
 - **WATCH_NAMESPACE:** comma separated list of what Namespaces to watch for changes.
 - **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
- **POLLING_INTERVAL** (default: 600)**:** The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
+- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
 - **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
 - **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
 - **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
@@ -102,7 +102,7 @@ To create a Kubernetes Secret from a 1Password item, create a yaml file with the
 ```yaml
 apiVersion: onepassword.com/v1
-kind: OnePasswordItem # {insert_new_name}
+kind: OnePasswordItem
 metadata:
  name: <item_name> #this name will also be used for naming the generated kubernetes secret
 spec:
@@ -131,8 +131,8 @@ kind: Deployment
 metadata:
  name: deployment-example
  annotations:
-    operator.1password.io/item-path: "vaults/{vault_id_or_title}/items/{item_id_or_title}"
+    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
-    operator.1password.io/item-name: "{secret_name}"
+    operator.1password.io/item-name: "<secret_name>"
 ```
 Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
@@ -144,7 +144,12 @@ If a 1Password Item that is linked to a Kubernetes Secret is updated within the
 ---
 **NOTE**
-If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. Furthermore, titles that include white space characters cannot be used.
+If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. 
 Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
 - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
 - All whitespaces between words will be replaced by `-`
 - All the letters will be lower-cased.
 ---
@@ -163,6 +168,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: "example-namespace"
  annotations:
    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the operator will be used. This value can be overwritten by deployment.
@@ -175,6 +181,7 @@ apiVersion: v1
 kind: Deployment
 metadata:
  name: "example-deployment"
  annotations:
    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the namespace will be used.
@@ -187,6 +194,7 @@ apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: example
  annotations:
    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the deployment will be used.
--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -83,9 +83,11 @@ func main() {
 	printVersion()
-	namespace, err := k8sutil.GetWatchNamespace()
+	namespace := os.Getenv(k8sutil.WatchNamespaceEnvVar)
 	deploymentNamespace, err := k8sutil.GetOperatorNamespace()
 	if err != nil {
-		log.Error(err, "Failed to get watch namespace")
+		log.Error(err, "Failed to get namespace")
 		os.Exit(1)
 	}
@@ -139,7 +141,7 @@ func main() {
 		go func() {
 			connectStarted := false
 			for connectStarted == false {
-				err := op.SetupConnect(mgr.GetClient())
+				err := op.SetupConnect(mgr.GetClient(), deploymentNamespace)
 				// Cache Not Started is an acceptable error. Retry until cache is started.
 				if err != nil && !errors.Is(err, &cache.ErrCacheNotStarted{}) {
 					log.Error(err, "")
--- a/deploy/connect/deployment.yaml
+++ b/deploy/connect/deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: onepassword-connect
  namespace: default
 spec:
  selector:
    matchLabels:
--- a/deploy/connect/service.yaml
+++ b/deploy/connect/service.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: onepassword-connect
  namespace: default
 spec:
  type: NodePort
  selector:
--- a/pkg/controller/deployment/deployment_controller.go
+++ b/pkg/controller/deployment/deployment_controller.go
@@ -191,6 +191,7 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
 	reqLog := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
 	secretName := annotations[op.NameAnnotation]
 	secretLabels := map[string]string(nil)
 	if len(secretName) == 0 {
 		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
 		return nil
@@ -201,5 +202,5 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation])
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, annotations)
 }
--- a/pkg/controller/deployment/deployment_controller_test.go
+++ b/pkg/controller/deployment/deployment_controller_test.go
@@ -258,7 +258,7 @@ var tests = []testReconcileItem{
 		},
 	},
 	{
-		testName: "Test Do not update if OnePassword Item Version has not changed",
+		testName: "Test Do not update if Annotations have not changed",
 		deploymentResource: &appsv1.Deployment{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       deploymentKind,
@@ -271,6 +271,7 @@ var tests = []testReconcileItem{
 					op.ItemPathAnnotation: itemPath,
 					op.NameAnnotation:     name,
 				},
 				Labels: map[string]string{},
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -279,6 +280,8 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 					op.ItemPathAnnotation: itemPath,
 					op.NameAnnotation:     name,
 				},
 			},
 			Data: expectedSecretData,
@@ -290,7 +293,10 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 					op.ItemPathAnnotation: itemPath,
 					op.NameAnnotation:     name,
 				},
 				Labels: map[string]string(nil),
 			},
 			Data: expectedSecretData,
 		},
--- a/pkg/controller/onepassworditem/onepassworditem_controller.go
+++ b/pkg/controller/onepassworditem/onepassworditem_controller.go
@@ -3,7 +3,6 @@ package onepassworditem
 import (
 	"context"
 	"fmt"
 	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
 	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
 	"github.com/1Password/onepassword-operator/pkg/onepassword"
@@ -144,12 +143,14 @@ func (r *ReconcileOnePasswordItem) removeOnePasswordFinalizerFromOnePasswordItem
 func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1.OnePasswordItem, request reconcile.Request) error {
 	secretName := resource.GetName()
-	autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation]
+	labels := resource.Labels
 	annotations := resource.Annotations
 	autoRestart := annotations[op.RestartDeploymentsAnnotation]
 	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart)
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart, labels, annotations)
 }
--- a/pkg/controller/onepassworditem/onepassworditem_test.go
+++ b/pkg/controller/onepassworditem/onepassworditem_test.go
@@ -31,6 +31,9 @@ const (
 	itemId                    = "nwrhuano7bcwddcviubpp4mhfq"
 	username                  = "test-user"
 	password                  = "QmHumKc$mUeEem7caHtbaBaJ"
 	firstHost                 = "http://localhost:8080"
 	awsKey                    = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
 	iceCream                  = "freezing blue 20%"
 	userKey                   = "username"
 	passKey                   = "password"
 	version                   = 123
@@ -117,6 +120,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 					op.ItemPathAnnotation: itemPath,
 				},
 			},
 			Data: expectedSecretData,
@@ -128,6 +132,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 					op.ItemPathAnnotation: itemPath,
 				},
 			},
 			Data: expectedSecretData,
@@ -147,6 +152,11 @@ var tests = []testReconcileItem{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 					op.ItemPathAnnotation: itemPath,
 				},
 				Labels: map[string]string{},
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
 				ItemPath: itemPath,
@@ -158,7 +168,9 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: "456",
 					op.ItemPathAnnotation: itemPath,
 				},
 				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -169,7 +181,9 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 					op.ItemPathAnnotation: itemPath,
 				},
 				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -210,6 +224,120 @@ var tests = []testReconcileItem{
 			passKey: password,
 		},
 	},
 	{
 		testName: "Secret from 1Password item with invalid K8s labels",
 		customResource: &onepasswordv1.OnePasswordItem{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       onePasswordItemKind,
 				APIVersion: onePasswordItemAPIVersion,
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "!my sECReT it3m%",
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
 				ItemPath: itemPath,
 			},
 		},
 		existingSecret: nil,
 		expectedError:  nil,
 		expectedResultSecret: &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "my-secret-it3m",
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
 			Data: expectedSecretData,
 		},
 		opItem: map[string]string{
 			userKey: username,
 			passKey: password,
 		},
 	},
 	{
 		testName: "Secret from 1Password item with fields and sections that have invalid K8s labels",
 		customResource: &onepasswordv1.OnePasswordItem{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       onePasswordItemKind,
 				APIVersion: onePasswordItemAPIVersion,
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "!my sECReT it3m%",
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
 				ItemPath: itemPath,
 			},
 		},
 		existingSecret: nil,
 		expectedError:  nil,
 		expectedResultSecret: &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "my-secret-it3m",
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
 			Data: map[string][]byte{
 				"password":       []byte(password),
 				"username":       []byte(username),
 				"first-host":     []byte(firstHost),
 				"AWS-Access-Key": []byte(awsKey),
 				"ice-cream-type": []byte(iceCream),
 			},
 		},
 		opItem: map[string]string{
 			userKey:            username,
 			passKey:            password,
 			"first host":       firstHost,
 			"AWS Access Key":   awsKey,
 			"😄 ice-cream type": iceCream,
 		},
 	},
 	{
 		testName: "Secret from 1Password item with `-`, `_` and `.`",
 		customResource: &onepasswordv1.OnePasswordItem{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       onePasswordItemKind,
 				APIVersion: onePasswordItemAPIVersion,
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "!.my_sECReT.it3m%-_",
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
 				ItemPath: itemPath,
 			},
 		},
 		existingSecret: nil,
 		expectedError:  nil,
 		expectedResultSecret: &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "my-secret.it3m",
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
 			Data: map[string][]byte{
 				"password":          []byte(password),
 				"username":          []byte(username),
 				"first-host":        []byte(firstHost),
 				"AWS-Access-Key":    []byte(awsKey),
 				"-_ice_cream.type.": []byte(iceCream),
 			},
 		},
 		opItem: map[string]string{
 			userKey:               username,
 			passKey:               password,
 			"first host":          firstHost,
 			"AWS Access Key":      awsKey,
 			"😄 -_ice_cream.type.": iceCream,
 		},
 	},
 }
 func TestReconcileOnePasswordItem(t *testing.T) {
@@ -241,7 +369,10 @@ func TestReconcileOnePasswordItem(t *testing.T) {
 			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
 				item := onepassword.Item{}
-				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
+				item.Fields = []*onepassword.ItemField{}
 				for k, v := range testData.opItem {
 					item.Fields = append(item.Fields, &onepassword.ItemField{Label: k, Value: v})
 				}
 				item.Version = version
 				item.Vault.ID = vaultUUID
 				item.ID = uuid
@@ -257,8 +388,8 @@ func TestReconcileOnePasswordItem(t *testing.T) {
 			// watched resource .
 			req := reconcile.Request{
 				NamespacedName: types.NamespacedName{
-					Name:      name,
+					Name:      testData.customResource.ObjectMeta.Name,
-					Namespace: namespace,
+					Namespace: testData.customResource.ObjectMeta.Namespace,
 				},
 			}
 			_, err := r.Reconcile(req)
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -4,12 +4,18 @@ import (
 	"context"
 	"fmt"
 	"regexp"
 	"strings"
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/1Password/onepassword-operator/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"reflect"
 	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -23,22 +29,27 @@ const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"
 var log = logf.Log
-func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string) error {
+func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string, labels map[string]string, secretAnnotations map[string]string) error {
 	itemVersion := fmt.Sprint(item.Version)
-	annotations := map[string]string{
+
-		VersionAnnotation:  itemVersion,
+	// If secretAnnotations is nil we create an empty map so we can later assign values for the OP Annotations in the map
-		ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID),
+	if secretAnnotations == nil {
 		secretAnnotations = map[string]string{}
 	}
 	secretAnnotations[VersionAnnotation] = itemVersion
 	secretAnnotations[ItemPathAnnotation] = fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID)
 	if autoRestart != "" {
 		_, err := utils.StringToBool(autoRestart)
 		if err != nil {
 			log.Error(err, "Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secretName)
 			return err
 		}
-		annotations[RestartDeploymentsAnnotation] = autoRestart
+		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
 	}
-	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, annotations, *item)
+	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, *item)
 	currentSecret := &corev1.Secret{}
 	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
@@ -49,9 +60,10 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 		return err
 	}
-	if currentSecret.Annotations[VersionAnnotation] != itemVersion {
+	if ! reflect.DeepEqual(currentSecret.Annotations, secretAnnotations) || ! reflect.DeepEqual(currentSecret.Labels, labels) {
 		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
-		currentSecret.ObjectMeta.Annotations = annotations
+		currentSecret.ObjectMeta.Annotations = secretAnnotations
 		currentSecret.ObjectMeta.Labels = labels
 		currentSecret.Data = secret.Data
 		return kubeClient.Update(context.Background(), currentSecret)
 	}
@@ -60,12 +72,13 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 	return nil
 }
-func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, item onepassword.Item) *corev1.Secret {
+func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, item onepassword.Item) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        name,
+			Name:        formatSecretName(name),
 			Namespace:   namespace,
 			Annotations: annotations,
 			Labels:      labels,
 		},
 		Data: BuildKubernetesSecretData(item.Fields),
 	}
@@ -75,8 +88,59 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
 	secretData := map[string][]byte{}
 	for i := 0; i < len(fields); i++ {
 		if fields[i].Value != "" {
-			secretData[fields[i].Label] = []byte(fields[i].Value)
+			key := formatSecretDataName(fields[i].Label)
 			secretData[key] = []byte(fields[i].Value)
 		}
 	}
 	return secretData
 }
 // formatSecretName rewrites a value to be a valid Secret name.
 //
 // The Secret meta.name and data keys must be valid DNS subdomain names
 // (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
 func formatSecretName(value string) string {
 	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
 		return value
 	}
 	return createValidSecretName(value)
 }
 // formatSecretDataName rewrites a value to be a valid Secret data key.
 //
 // The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
 // (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
 func formatSecretDataName(value string) string {
 	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
 		return value
 	}
 	return createValidSecretDataName(value)
 }
 var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
 func createValidSecretName(value string) string {
 	result := strings.ToLower(value)
 	result = invalidDNS1123Chars.ReplaceAllString(result, "-")
 	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
 		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
 	}
 	// first and last character MUST be alphanumeric
 	return strings.Trim(result, "-.")
 }
 var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
 var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
 func createValidSecretDataName(value string) string {
 	result := invalidStartEndChars.ReplaceAllString(value, "")
 	result = invalidDataChars.ReplaceAllString(result, "-")
 	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
 		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
 	}
 	return result
 }
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -30,7 +31,11 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
 	kubeClient := fake.NewFakeClient()
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
+	secretLabels := map[string]string{}
 	secretAnnotations := map[string]string{
 		"testAnnotation": "exists",
 	}
 	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -42,6 +47,10 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	compareFields(item.Fields, createdSecret.Data, t)
 	compareAnnotationsToItem(createdSecret.Annotations, item, t)
 	if createdSecret.Annotations["testAnnotation"] != "exists" {
 		t.Errorf("Expected testAnnotation to be merged with existing annotations, but wasn't.")
 	}
 }
 func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
@@ -55,7 +64,9 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
 	kubeClient := fake.NewFakeClient()
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
+	secretLabels := map[string]string{}
 	secretAnnotations := map[string]string{}
 	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -66,7 +77,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	newItem.Version = 456
 	newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
 	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
-	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation)
+	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretAnnotations)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -99,9 +110,10 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	item := onepassword.Item{}
 	item.Fields = generateFields(5)
 	labels := map[string]string{}
-	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, item)
-	if kubeSecret.Name != name {
+	if kubeSecret.Name != strings.ToLower(name) {
 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
 	}
 	if kubeSecret.Namespace != namespace {
@@ -113,6 +125,45 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	compareFields(item.Fields, kubeSecret.Data, t)
 }
 func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 	name := "inV@l1d k8s secret%name"
 	expectedName := "inv-l1d-k8s-secret-name"
 	namespace := "someNamespace"
 	annotations := map[string]string{
 		"annotationKey": "annotationValue",
 	}
 	labels := map[string]string{}
 	item := onepassword.Item{}
 	item.Fields = []*onepassword.ItemField{
 		{
 			Label: "label w%th invalid ch!rs-",
 			Value: "value1",
 		},
 		{
 			Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1),
 			Value: "name exceeds max length",
 		},
 	}
 	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels,  item)
 	// Assert Secret's meta.name was fixed
 	if kubeSecret.Name != expectedName {
 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
 	}
 	if kubeSecret.Namespace != namespace {
 		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
 	}
 	// assert labels were fixed for each data key
 	for key := range kubeSecret.Data {
 		if !validLabel(key) {
 			t.Errorf("Expected valid kubernetes label, got %s", key)
 		}
 	}
 }
 func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
 	actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
 	if err != nil {
@@ -164,3 +215,10 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
 	}
 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
 }
 func validLabel(v string) bool {
 	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
 		return false
 	}
 	return true
 }
--- a/pkg/onepassword/connect_setup.go
+++ b/pkg/onepassword/connect_setup.go
@@ -2,6 +2,7 @@ package onepassword
 import (
 	"context"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"
 	appsv1 "k8s.io/api/apps/v1"
@@ -17,13 +18,13 @@ var logConnectSetup = logf.Log.WithName("ConnectSetup")
 var deploymentPath = "deploy/connect/deployment.yaml"
 var servicePath = "deploy/connect/service.yaml"
-func SetupConnect(kubeClient client.Client) error {
+func SetupConnect(kubeClient client.Client, deploymentNamespace string) error {
-	err := setupService(kubeClient, servicePath)
+	err := setupService(kubeClient, servicePath, deploymentNamespace)
 	if err != nil {
 		return err
 	}
-	err = setupDeployment(kubeClient, deploymentPath)
+	err = setupDeployment(kubeClient, deploymentPath, deploymentNamespace)
 	if err != nil {
 		return err
 	}
@@ -31,22 +32,22 @@ func SetupConnect(kubeClient client.Client) error {
 	return nil
 }
-func setupDeployment(kubeClient client.Client, deploymentPath string) error {
+func setupDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
 	existingDeployment := &appsv1.Deployment{}
 	// check if deployment has already been created
-	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}, existingDeployment)
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingDeployment)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			logConnectSetup.Info("No existing Connect deployment found. Creating Deployment")
-			return createDeployment(kubeClient, deploymentPath)
+			return createDeployment(kubeClient, deploymentPath, deploymentNamespace)
 		}
 	}
 	return err
 }
-func createDeployment(kubeClient client.Client, deploymentPath string) error {
+func createDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
-	deployment, err := getDeploymentToCreate(deploymentPath)
+	deployment, err := getDeploymentToCreate(deploymentPath, deploymentNamespace)
 	if err != nil {
 		return err
 	}
@@ -59,12 +60,16 @@ func createDeployment(kubeClient client.Client, deploymentPath string) error {
 	return nil
 }
-func getDeploymentToCreate(deploymentPath string) (*appsv1.Deployment, error) {
+func getDeploymentToCreate(deploymentPath string, deploymentNamespace string) (*appsv1.Deployment, error) {
 	f, err := os.Open(deploymentPath)
 	if err != nil {
 		return nil, err
 	}
-	deployment := &appsv1.Deployment{}
+	deployment := &appsv1.Deployment{
 		ObjectMeta: v1.ObjectMeta{
 			Namespace: deploymentNamespace,
 		},
 	}
 	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(deployment)
 	if err != nil {
@@ -73,26 +78,30 @@ func getDeploymentToCreate(deploymentPath string) (*appsv1.Deployment, error) {
 	return deployment, nil
 }
-func setupService(kubeClient client.Client, servicePath string) error {
+func setupService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
 	existingService := &corev1.Service{}
 	//check if service has already been created
-	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}, existingService)
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingService)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			logConnectSetup.Info("No existing Connect service found. Creating Service")
-			return createService(kubeClient, servicePath)
+			return createService(kubeClient, servicePath, deploymentNamespace)
 		}
 	}
 	return err
 }
-func createService(kubeClient client.Client, servicePath string) error {
+func createService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
 	f, err := os.Open(servicePath)
 	if err != nil {
 		return err
 	}
-	service := &corev1.Service{}
+	service := &corev1.Service{
 		ObjectMeta: v1.ObjectMeta{
 			Namespace: deploymentNamespace,
 		},
 	}
 	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(service)
 	if err != nil {
--- a/pkg/onepassword/connect_setup_test.go
+++ b/pkg/onepassword/connect_setup_test.go
@@ -25,7 +25,7 @@ func TestServiceSetup(t *testing.T) {
 	// Create a fake client to mock API calls.
 	client := fake.NewFakeClientWithScheme(s, objs...)
-	err := setupService(client, "../../deploy/connect/service.yaml")
+	err := setupService(client, "../../deploy/connect/service.yaml", defaultNamespacedName.Namespace)
 	if err != nil {
 		t.Errorf("Error Setting Up Connect: %v", err)
@@ -50,7 +50,7 @@ func TestDeploymentSetup(t *testing.T) {
 	// Create a fake client to mock API calls.
 	client := fake.NewFakeClientWithScheme(s, objs...)
-	err := setupDeployment(client, "../../deploy/connect/deployment.yaml")
+	err := setupDeployment(client, "../../deploy/connect/deployment.yaml", defaultNamespacedName.Namespace)
 	if err != nil {
 		t.Errorf("Error Setting Up Connect: %v", err)
--- a/pkg/onepassword/containers.go
+++ b/pkg/onepassword/containers.go
@@ -1,11 +1,16 @@
 package onepassword
-import corev1 "k8s.io/api/core/v1"
+import (
 	corev1 "k8s.io/api/core/v1"
 )
 func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool {
 	for i := 0; i < len(containers); i++ {
 		envVariables := containers[i].Env
 		envVariableNames := map[string]struct{}{}
 		for j := 0; j < len(envVariables); j++ {
 			envVariableNames[envVariables[j].Name] = struct{}{}
 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
 				_, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
 				if ok {
@@ -13,6 +18,19 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string
 				}
 			}
 		}
 		envFromVariables := containers[i].EnvFrom
 		for j := 0; j < len(envFromVariables); j++ {
 			if envFromVariables[j].SecretRef != nil {
 				// Skip env variables that will be overwritten by Env
 				if _, ok := envVariableNames[envFromVariables[i].SecretRef.Name]; ok {
 					continue;
 				}
 				_, ok := secrets[envFromVariables[j].SecretRef.Name]
 				if ok {
 					return true
 				}
 			}
 		}
 	}
 	return false
 }
@@ -20,7 +38,10 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string
 func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
 	for i := 0; i < len(containers); i++ {
 		envVariables := containers[i].Env
 		envVariableNames := map[string]struct{}{}
 		for j := 0; j < len(envVariables); j++ {
 			envVariableNames[envVariables[j].Name] = struct{}{}
 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
 				secret, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
 				if ok {
@@ -28,6 +49,19 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st
 				}
 			}
 		}
 		envFromVariables := containers[i].EnvFrom
 		for j := 0; j < len(envFromVariables); j++ {
 			if envFromVariables[j].SecretRef != nil {
 				// Skip env variables that will be overwritten by Env
 				if _, ok := envVariableNames[envFromVariables[i].SecretRef.Name]; ok {
 					continue;
 				}
 				secret, ok := secrets[envFromVariables[j].SecretRef.LocalObjectReference.Name]
 				if ok {
 					updatedDeploymentSecrets[secret.Name] = secret
 				}
 			}
 		}
 	}
 	return updatedDeploymentSecrets
 }
--- a/pkg/onepassword/containers_test.go
+++ b/pkg/onepassword/containers_test.go
@@ -4,9 +4,10 @@ import (
 	"testing"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
-func TestAreContainersUsingSecrets(t *testing.T) {
+func TestAreContainersUsingSecretsFromEnv(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
 		"onepassword-database-secret": &corev1.Secret{},
 		"onepassword-api-key":         &corev1.Secret{},
@@ -18,7 +19,26 @@ func TestAreContainersUsingSecrets(t *testing.T) {
 		"some_other_key",
 	}
-	containers := generateContainers(containerSecretNames)
+	containers := generateContainersWithSecretRefsFromEnv(containerSecretNames)
 	if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
 		t.Errorf("Expected that containers were using secrets but they were not detected.")
 	}
 }
 func TestAreContainersUsingSecretsFromEnvFrom(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
 		"onepassword-database-secret": {},
 		"onepassword-api-key":         {},
 	}
 	containerSecretNames := []string{
 		"onepassword-database-secret",
 		"onepassword-api-key",
 		"some_other_key",
 	}
 	containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames)
 	if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
 		t.Errorf("Expected that containers were using secrets but they were not detected.")
@@ -27,17 +47,39 @@ func TestAreContainersUsingSecrets(t *testing.T) {
 func TestAreContainersNotUsingSecrets(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": &corev1.Secret{},
+		"onepassword-database-secret": {},
-		"onepassword-api-key":         &corev1.Secret{},
+		"onepassword-api-key":         {},
 	}
 	containerSecretNames := []string{
 		"some_other_key",
 	}
-	containers := generateContainers(containerSecretNames)
+	containers := generateContainersWithSecretRefsFromEnv(containerSecretNames)
 	if AreContainersUsingSecrets(containers, secretNamesToSearch) {
 		t.Errorf("Expected that containers were not using secrets but they were detected.")
 	}
 }
 func TestAppendUpdatedContainerSecretsParsesEnvFromEnv(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
 		"onepassword-database-secret": {},
 		"onepassword-api-key":         {ObjectMeta: metav1.ObjectMeta{Name: "onepassword-api-key"}},
 	}
 	containerSecretNames := []string{
 		"onepassword-api-key",
 	}
 	containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames)
 	updatedDeploymentSecrets := map[string]*corev1.Secret{}
 	updatedDeploymentSecrets = AppendUpdatedContainerSecrets(containers, secretNamesToSearch, updatedDeploymentSecrets)
 	secretKeyName := "onepassword-api-key"
 	if updatedDeploymentSecrets[secretKeyName] != secretNamesToSearch[secretKeyName] {
 		t.Errorf("Expected that updated Secret from envfrom is found.")
 	}
 }
--- a/pkg/onepassword/deployments_test.go
+++ b/pkg/onepassword/deployments_test.go
@@ -39,7 +39,7 @@ func TestIsDeploymentUsingSecretsUsingContainers(t *testing.T) {
 	}
 	deployment := &appsv1.Deployment{}
-	deployment.Spec.Template.Spec.Containers = generateContainers(containerSecretNames)
+	deployment.Spec.Template.Spec.Containers = generateContainersWithSecretRefsFromEnv(containerSecretNames)
 	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
 		t.Errorf("Expected that deployment was using secrets but they were not detected.")
 	}
--- a/pkg/onepassword/object_generators_for_test.go
+++ b/pkg/onepassword/object_generators_for_test.go
@@ -17,8 +17,7 @@ func generateVolumes(names []string) []corev1.Volume {
 	}
 	return volumes
 }
-
+func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container {
 func generateContainers(names []string) []corev1.Container {
 	containers := []corev1.Container{}
 	for i := 0; i < len(names); i++ {
 		container := corev1.Container{
@@ -40,3 +39,16 @@ func generateContainers(names []string) []corev1.Container {
 	}
 	return containers
 }
 func generateContainersWithSecretRefsFromEnvFrom(names []string) []corev1.Container {
 	containers := []corev1.Container{}
 	for i := 0; i < len(names); i++ {
 		container := corev1.Container{
 			EnvFrom: []corev1.EnvFromSource{
 				{SecretRef: &corev1.SecretEnvSource{LocalObjectReference: corev1.LocalObjectReference{Name: names[i]}}},
 			},
 		}
 		containers = append(containers, container)
 	}
 	return containers
 }
--- a/pkg/onepassword/secret_update_handler.go
+++ b/pkg/onepassword/secret_update_handler.go
@@ -131,7 +131,7 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 			}
 			log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
 			secret.Annotations[VersionAnnotation] = itemVersion
-			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, *item)
+			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, secret.Labels, *item)
 			h.client.Update(context.Background(), updatedSecret)
 			if updatedSecrets[secret.Namespace] == nil {
 				updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret)
Author	SHA1	Message	Date
Marton Soos	717f9bc33f	Skip shadowed env variables	2022-02-17 17:49:28 +01:00
Samuel Archambault	d9e003bdb7	cleanup comments	2021-09-24 14:02:46 -04:00
Samuel Archambault	b25f943b3a	Verify secrets and FromEnv in addition to Env	2021-09-24 13:51:05 -04:00
David Gunter	d807e92c36	Merge pull request #71 from 1Password/release/v1.1.0 Prepare Release - v1.1.0	2021-09-23 11:21:16 -07:00
david.gunter	244771717c	Prepare release/1.1.0	2021-09-23 11:18:53 -07:00
Floris van der Grinten	7aeb36e383	Merge pull request #66 from 1Password/fix/handling-key-names Handling key names	2021-09-13 13:34:44 +02:00
Floris van der Grinten	5c2f840623	Merge pull request #43 from mcmarkj/pass-labels-and-annotations Add Labels & Annotations from OPObject to Secret	2021-09-13 13:33:38 +02:00
Eddy Filip	670040477e	Add max length for secret key names Max length for secret key names must be DNS1123 compliant (253)	2021-09-08 16:02:08 +03:00
Eddy Filip	a45a310611	Make secret names DNS1123 Subdomain compiant This is done while ensuring that secret keys are compliant (contain alphanumeric characters, `-`, `_` and `.`)	2021-09-08 15:36:40 +03:00
Eddy Filip	d80e8dd799	Add tests with names that contain `.` and `_`	2021-09-08 13:58:48 +03:00
Eddy Filip	88728909ff	Adjust regex to support `_` and `.` and trim them Now secret names can also contain `_` and `.` and they will be trimmed from start and end of string to be DNS1123 compliant	2021-09-08 13:49:32 +03:00
Marton Soos	e365ebfdfa	Fix tests	2021-09-03 15:42:02 +03:00
Marton Soos	2c4b4df01a	Do not make secret names lowercase on normalization	2021-09-03 15:41:46 +03:00
Jillian W	49d984c6f2	Merge pull request #64 from 1Password/release/v1.0.2 Preparing release	2021-08-27 15:32:40 -03:00
jillianwilson	72cad7284c	Preparing release	2021-08-27 15:21:07 -03:00
mcmarkj	0193a98681	Merge branch 'main' of github.com:1Password/onepassword-operator into pass-labels-and-annotations	2021-08-19 16:15:02 +01:00
mcmarkj	f241d7423d	Use deepequal	2021-08-19 16:11:29 +01:00
Eduard Filip	6043e0da0b	Merge pull request #58 from 1Password/dg/normalize-secret-name Add secret name normalizer to the operator.	2021-08-17 20:28:07 +02:00
Eddy Filip	753cc5e9a3	Update note in README The note now explains how the item title and fields are made into DNS subdomain-compliant names for creating Kubernetes secrets.	2021-08-16 15:24:04 +02:00
Eddy Filip	8cfe98073e	Improve testing Fix previous tests and add test for items with field names that are not valid DNS subdomain names.	2021-08-16 14:51:44 +02:00
mcmarkj	c0037526b0	remove commit file	2021-08-15 15:32:18 +01:00
david.gunter	96b42e7c52	Label normalizer now fixes both Secret names and data keys. Each key in the `data` section of a secret must also be a valid DNS subdomain. The operator needs to "fix" the 1Password item fields before trying to create the secret.	2021-08-06 13:18:21 -07:00
david.gunter	579b5848da	Add secret name normalizer to the operator. The operator will now reformat 1Password item names to become valid names K8s Secret objects. Secret names must be a valid DNS subdomain name. See more: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names	2021-08-05 16:39:55 -07:00
mcmarkj	dff934cbc3	Fix tests	2021-08-04 06:33:56 +01:00
mcmarkj	2096f4440f	add logic for checking for label or annotation updates	2021-08-03 21:32:04 +01:00
mcmarkj	b3fc707337	Merge branch 'main' of github.com:1Password/onepassword-operator into pass-labels-and-annotations	2021-07-23 15:29:24 +01:00
Eduard Filip	b50d864b50	Merge pull request #46 from 1Password/connect-deploy-custom-namespace Add support custom namespace for connect deployment	2021-06-17 14:13:43 +03:00
Eduard Filip	1643385d9b	Merge pull request #45 from 1Password/fix/makefile Add missing argument for docker build	2021-06-17 14:13:11 +03:00
Eddy Filip	9441214733	Add support custom namespace for connect deployment Now when the operator is deployed with the `MANAGE_CONNECT` env var set to true, the connect instance is deployed in the same namespace as the operator.	2021-06-09 20:45:33 +03:00
Eddy Filip	7e4e988813	Add missing argument for docker build `make build` and `make build/local` would fail because the docker build commands were incomplete.	2021-06-09 16:02:05 +03:00
mcmarkj	fb1262f1bd	PR Feedback'	2021-06-07 21:51:44 +01:00
Simon Barendse	68f084080e	Merge pull request #40 from 1Password/feature/watch-namespaces-default Watch all namespaces by default	2021-06-07 14:25:48 +02:00
mcmarkj	a428fe7462	GoFMT	2021-05-28 18:15:17 +01:00
mcmarkj	ea2d1f8a09	Typo	2021-05-28 18:11:10 +01:00
mcmarkj	bd96d50a9b	Add Labels & Annotations from OPObject to Secret	2021-05-28 16:39:00 +01:00
Simon Barendse	859c9e3462	Watch all namespaces by default When nothing is configured, watch all namespaces by default. This makes it easier to get started. It also makes configuring to watch all namespaces less akward (currently you have to set the WATCH_NAMESPACE environment variable to the empty string to configure the operator to watch all namespaces.	2021-05-14 14:26:30 +02:00
Simon Barendse	9dabac4a55	Merge pull request #35 from 1Password/auto-restart-annotation-example Fix examples using the auto-restart annotation	2021-05-07 11:33:54 +02:00
Simon Barendse	d927a08790	Fix examples using the auto-restart annotation	2021-05-03 18:14:02 +02:00
Simon Barendse	933f7c4e2c	Merge pull request #33 from lemichello/readme-token-name Make token name used in README and deploy/operator.yaml consistent	2021-05-03 18:04:07 +02:00
Floris van der Grinten	81eb9a521f	Merge pull request #34 from 1Password/support-links Update documentation links	2021-05-03 18:02:09 +02:00
Simon Barendse	eb32bd7f94	Update documentation links Also switch b5dev.com to 1password.com	2021-05-03 16:59:32 +02:00
Simon Barendse	a5781af949	Update documentation links The documentation is moved to our main support site when the operator was publicly released. The old URLs are redirected to the new URLs used in this commit, however, when redirecting the anchor is lost and the page is not scrolled to that position on the page. This commit fixes that by changing the URLs to the new URLs.	2021-05-03 16:56:49 +02:00
Maksym Lemich	0aa5781acd	renamed the proposed secret name for the token	2021-05-03 14:07:59 +03:00
Joris Coenen	700be4426f	Merge pull request #31 from 1Password/armv7-image Add arm/v7 image	2021-04-30 17:43:07 +02:00
Joris Coenen	76ef9aa372	Merge pull request #30 from 1Password/fix-cli-version Fix the version passed to the image	2021-04-30 16:39:29 +02:00
Joris Coenen	d7e6704314	Add arm/v7 image Needed to run on a Raspberry Pi. Arm/v6 would also be nice, but this does not seem to be supported by the current base image gcr.io/distroless/static:nonroot. So let's go with this for now.	2021-04-30 16:39:05 +02:00
Joris Coenen	2443979602	Fix the version passed to the image Contrary to what internet resources say, ${{github.event.ref}} also contains the `ref/tags/` prefix. That is removed now. Also, setting the version with plain "-X version.Version" does not seem to work consistently. Adding the full package as a prefix fixes this.	2021-04-30 16:12:45 +02:00
Joris Coenen	5b65196d31	Merge pull request #29 from 1Password/release/v1.0.1 Release v1.0.1	2021-04-30 14:31:35 +02:00
Joris Coenen	e7df8a485d	Fix inconsistency in .VERSION file	2021-04-30 14:28:36 +02:00
Joris Coenen	ded76138da	Prepare release v1.0.1	2021-04-30 14:24:33 +02:00
Joris Coenen	a5db6aeb81	Merge pull request #24 from 1Password/go-binaries-action Create GitHub Actions workflow to release to Docker Hub	2021-04-30 11:15:33 +02:00
Joris Coenen	d45f682c37	Rename job to release-docker Co-authored-by: Floris van der Grinten <floris.vandergrinten@agilebits.com>	2021-04-29 14:35:21 +02:00
Joris Coenen	d0c1235e58	Remove obsoleted goreleaser files	2021-04-23 18:45:06 +02:00
Joris Coenen	9e8f621020	Use docker buildx for building and pushing images This has the benefit that every tag only shows up as one image. With goreleaser, multiple images were shipped	2021-04-23 18:40:15 +02:00
Joris Coenen	8dd7a28456	Merge pull request #26 from 1Password/issue-templates Add GitHub issue templates	2021-04-22 18:38:29 +02:00
Joris Coenen	43b06dd7aa	Add GitHub issue templates	2021-04-22 13:38:35 +02:00
Joris Coenen	e8e01d6578	Also push :latest tag	2021-04-21 19:06:13 +02:00
Joris Coenen	b53e017b77	GitHub Action steps for publishing images to DockerHub	2021-04-21 18:41:30 +02:00
Joris Coenen	b2565cebf8	Add GoReleaser configuration for publishing docker images Should build both an amd64 and arm64 image and combine both in a single manifest. Does require some modifications to the GitHub Actions to correctly push to DockerHub. Used this blog post as inspiration: https://carlosbecker.com/posts/multi-platform-docker-images-goreleaser-gh-actions/	2021-04-21 18:18:47 +02:00
Joris Coenen	9459d2e292	Merge pull request #25 from 1Password/readme-update Minor README adjustments	2021-04-21 10:50:48 +02:00
jillianwilson	0409b17ef4	Minor README adjustments	2021-04-20 16:18:59 -03:00