Fix typo in changelog

Add release notes for v1.2.0
Merge pull request #74 from Nuglif/main
2025-10-22 07:28:06 +00:00 · 2022-02-21 11:49:14 +01:00 · 2022-02-21 11:03:14 +01:00 · 2022-02-18 20:13:08 +01:00 · 2022-02-18 14:16:22 +01:00 · 2022-02-18 10:47:14 +01:00
27 changed files with 761 additions and 103 deletions
--- a/.VERSION
+++ b/.VERSION
@@ -1 +1 @@
-v1.0.0
+1.2.0
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Report bugs and errors found while using the Operator.
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+### Your environment
+
+<!-- Version of the Operator when the error occurred -->
+Operator Version:
+
+<!-- What version of the Connect server are you running?
+You can get this information from the Integrations section in 1Password
+https://start.1password.com/integrations/active
+-->
+Connect Server Version:
+
+<!-- What version of Kubernetes have you deployed the operator to? -->
+Kubernetes Version:
+
+## What happened?
+<!-- Describe the bug or error -->
+
+## What did you expect to happen?
+<!-- Describe what should have happened -->
+
+## Steps to reproduce
+1. <!-- Describe Steps to reproduce the issue -->
+
+
+## Notes & Logs
+<!-- Paste any logs here that may help with debugging.
+Remember to remove any sensitive information before sharing! -->
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,9 @@
+# docs: https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
+blank_issues_enabled: true
+contact_links:
+  - name: 1Password Community
+    url: https://1password.community/categories/secrets-automation
+    about: Please ask general Secrets Automation questions here.
+  - name: 1Password Security Bug Bounty
+    url: https://bugcrowd.com/agilebits
+    about: Please report security vulnerabilities here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,32 @@
+---
+name: Feature request
+about: Suggest an idea for the Operator
+title: ''
+labels: feature-request
+assignees: ''
+
+---
+
+### Summary
+<!-- Briefly describe the feature in one or two sentences. You can include more details later. -->
+
+### Use cases
+<!-- Describe the use cases that make this feature useful to others.
+The description should help the reader understand why the feature is necessary.
+The better we understand your use case, the better we can help create an appropriate solution. -->
+
+### Proposed solution
+<!-- If you already have an idea for how the feature should work, use this space to describe it.
+We'll work with you to find a workable approach, and any implementation details are appreciated.
+-->
+
+### Is there a workaround to accomplish this today?
+<!-- If there's a way to accomplish this feature request without changes to the codebase, we'd like to hear it.
+-->
+
+### References & Prior Work
+<!-- If a similar feature was implemented in another project or tool, add a link so we can better understand your request.
+Links to relevant documentation or RFCs are also appreciated. -->
+
+* <!-- Reference 1 -->
+* <!-- Reference 2, etc -->
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,13 +1,15 @@
-name: goreleaser
+name: release

 on:
  push:
    tags:
-      - '*'
+      - 'v*'

 jobs:
-  goreleaser:
+  release-docker:
    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
      -
        name: Checkout
@@ -15,15 +17,41 @@ jobs:
        with:
          fetch-depth: 0
      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+        name: Docker meta
+        id: meta
+        uses: crazy-max/ghaction-docker-meta@v2
        with:
-          go-version: 1.15
+          images: |
+            1password/onepassword-operator
+          # Publish image for x.y.z and x.y
+          # The latest tag is automatically added for semver tags
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - name: Get the version from tag
+        id: get_version
+        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/v}
      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Docker Login
+        uses: docker/login-action@v1
        with:
-          version: latest
-          args: release --rm-dist
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            operator_version=${{ steps.get_version.outputs.VERSION }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,40 @@

 ---

+[//]: # (START/v1.2.0)
+# v1.2.0
+
+## Features
+  * Support secrets provisioned through FromEnv. {#74}
+  * Support configuration of Kubernetes Secret type. {#87}
+  * Improved logging. (#72)
+---
+
+[//]: # (START/v1.1.0)
+# v1.1.0
+
+## Fixes
+ * Fix normalization for keys in a Secret's `data` section to allow upper- and lower-case alphanumeric characters. {#66}
+
+---
+
+[//]: # (START/v1.0.2)
+# v1.0.2
+
+## Fixes
+ * Name normalizer added to handle non-conforming item names.
+
+---
+
+[//]: # (START/v1.0.1)
+# v1.0.1
+
+## Features
+* This release also contains an arm64 Docker image. {#20}
+* Docker images are also pushed to the :latest and :<major>.<minor> tags.
+
+---
+
 [//]: # (START/v1.0.0)
 # v1.0.0

--- a/4
+++ b/4
@@ -14,11 +14,9 @@ COPY vendor/ vendor/
 # Build
 ARG operator_version=dev
 RUN CGO_ENABLED=0 \
-    GOOS=linux \
-    GOARCH=amd64 \
    GO111MODULE=on \
    go build \
-    -ldflags "-X version.Version=$operator_version" \
+    -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \
    -mod vendor \
    -a -o manager main.go

--- a/4
+++ b/4
@@ -20,12 +20,12 @@ test/coverage:	## Run test suite with coverage report
 	go test -v ./... -cover

 build:	## Build operator Docker image
-	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG)
+	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG) .
 	@echo "Successfully built and tagged image."
 	@echo "Tag: $(DOCKER_IMG_TAG)"

 build/local:	## Build local version of the operator Docker image
-	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG)
+	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG) .

 build/binary: clean	## Build operator binary
 	@mkdir -p dist
--- a/README.md
+++ b/README.md
@@ -13,8 +13,8 @@ Prerequisites:
 - [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
 - [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 - [docker installed](https://docs.docker.com/get-docker/)
- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.b5dev.com/cs/connect)
- [1Password Connect deployed to Kubernetes](https://support.b5dev.com/cs/connect-deploy-kubernetes/#step-2-deploy-a-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
+- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.1password.com/secrets-automation/)
+- [1Password Connect deployed to Kubernetes](https://support.1password.com/connect-deploy-kubernetes/#step-2-deploy-a-1password-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.

 ### Quickstart for Deploying 1Password Connect to Kubernetes

@@ -30,14 +30,13 @@ If 1Password Connect is already running, you can skip this step. This guide will
 Encode the 1password-credentials.json file you generated in the prerequisite steps and save it to a file named op-session:

 ```bash
-$ cat 1password-credentials.json | base64 | \
+cat 1password-credentials.json | base64 | \
  tr '/+' '_-' | tr -d '=' | tr -d '\n' > op-session
 ```

 Create a Kubernetes secret from the op-session file:
 ```bash
-
-$  kubectl create secret generic op-credentials --from-file=1password-credentials.json
+kubectl create secret generic op-credentials --from-file=1password-credentials.json=op-session
 ```

 Add the following environment variable to the onepassword-connect-operator container in `deploy/operator.yaml`:
@@ -53,28 +52,28 @@ Adding this environment variable will have the operator automatically deploy a d
 "Create a Connect token for the operator and save it as a Kubernetes Secret: 

 ```bash
-$ kubectl create secret generic op-operator-connect-token --from-literal=token=<OP_CONNECT_TOKEN>"
+kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"
 ```

 If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:
 ```bash
-$ kubectl create secret generic op-operator-connect-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
+kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
 ```

-[More information on generating a token can be found here](https://support.1password.com/cs/secrets-automation/#appendix-issue-additional-access-tokens)
+[More information on generating a token can be found here](https://support.1password.com/secrets-automation/#appendix-issue-additional-access-tokens)

 **Set Permissions For Operator**

 We must create a service account, role, and role binding and Kubernetes. Examples can be found in the `/deploy` folder.

 ```bash
-$ kubectl apply -f deploy/permissions.yaml
+kubectl apply -f deploy/permissions.yaml
 ```

 **Create Custom One Password Secret Resource**

 ```bash
-$ kubectl apply -f deploy/crds/onepassword.com_onepassworditems_crd.yaml
+kubectl apply -f deploy/crds/onepassword.com_onepassworditems_crd.yaml
 ```

 **Deploying the Operator**
@@ -84,9 +83,9 @@ An sample Deployment yaml can be found at `/deploy/operator.yaml`.

 To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:

- **WATCH_NAMESPACE:** comma separated list of what Namespaces to watch for changes.
 - **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
- **POLLING_INTERVAL** (default: 600)**:** The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
+- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
+- **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
 - **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
 - **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.

@@ -102,7 +101,7 @@ To create a Kubernetes Secret from a 1Password item, create a yaml file with the

 ```yaml
 apiVersion: onepassword.com/v1
-kind: OnePasswordItem # {insert_new_name}
+kind: OnePasswordItem
 metadata:
  name: <item_name> #this name will also be used for naming the generated kubernetes secret
 spec:
@@ -112,13 +111,13 @@ spec:
 Deploy the OnePasswordItem to Kubernetes:

 ```bash
-$ kubectl apply -f <your_item>.yaml
+kubectl apply -f <your_item>.yaml
 ```

 To test that the Kubernetes Secret check that the following command returns a secret:

 ```bash
-$ kubectl get secret <secret_name>
+kubectl get secret <secret_name>
 ```

 Note: Deleting the `OnePasswordItem` that you've created will automatically delete the created Kubernetes Secret.
@@ -131,8 +130,8 @@ kind: Deployment
 metadata:
  name: deployment-example
  annotations:
-    operator.1password.io/item-path: "vaults/{vault_id_or_title}/items/{item_id_or_title}"
-    operator.1password.io/item-name: "{secret_name}"
+    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
+    operator.1password.io/item-name: "<secret_name>"
 ```

 Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
@@ -144,7 +143,12 @@ If a 1Password Item that is linked to a Kubernetes Secret is updated within the
 ---
 **NOTE**

-If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. Furthermore, titles that include white space characters cannot be used.
+If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. 
+
+Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
+ - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
+ - All whitespaces between words will be replaced by `-`
+ - All the letters will be lower-cased.

 ---

@@ -163,7 +167,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: "example-namespace"
-  operator.1password.io/auto-restart: "true"
+  annotations:
+    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the operator will be used. This value can be overwritten by deployment.

@@ -175,7 +180,8 @@ apiVersion: v1
 kind: Deployment
 metadata:
  name: "example-deployment"
-  operator.1password.io/auto-restart: "true"
+  annotations:
+    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the namespace will be used.

@@ -187,7 +193,8 @@ apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: example
-  operator.1password.io/auto-restart: "true"
+  annotations:
+    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the deployment will be used.

@@ -224,4 +231,4 @@ make test/coverage

 Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits). 

-For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
+For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -83,9 +83,11 @@ func main() {

 	printVersion()

-	namespace, err := k8sutil.GetWatchNamespace()
+	namespace := os.Getenv(k8sutil.WatchNamespaceEnvVar)
+
+	deploymentNamespace, err := k8sutil.GetOperatorNamespace()
 	if err != nil {
-		log.Error(err, "Failed to get watch namespace")
+		log.Error(err, "Failed to get namespace")
 		os.Exit(1)
 	}

@@ -139,7 +141,7 @@ func main() {
 		go func() {
 			connectStarted := false
 			for connectStarted == false {
-				err := op.SetupConnect(mgr.GetClient())
+				err := op.SetupConnect(mgr.GetClient(), deploymentNamespace)
 				// Cache Not Started is an acceptable error. Retry until cache is started.
 				if err != nil && !errors.Is(err, &cache.ErrCacheNotStarted{}) {
 					log.Error(err, "")
@@ -176,7 +178,10 @@ func main() {
 				ticker.Stop()
 				return
 			case <-ticker.C:
-				updatedSecretsPoller.UpdateKubernetesSecretsTask()
+				err := updatedSecretsPoller.UpdateKubernetesSecretsTask()
+				if err != nil {
+					log.Error(err, "error running update kubernetes secret task")
+				}
 			}
 		}
 	}()
--- a/deploy/connect/deployment.yaml
+++ b/deploy/connect/deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: onepassword-connect
-  namespace: default
 spec:
  selector:
    matchLabels:
--- a/deploy/connect/service.yaml
+++ b/deploy/connect/service.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: onepassword-connect
-  namespace: default
 spec:
  type: NodePort
  selector:
--- a/deploy/crds/onepassword.com_onepassworditems_crd.yaml
+++ b/deploy/crds/onepassword.com_onepassworditems_crd.yaml
@@ -39,4 +39,7 @@ spec:
          status:
            description: OnePasswordItemStatus defines the observed state of OnePasswordItem
            type: object
+          type:
+            description: 'Kubernetes secret type. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types'
+            type: string
        type: object
--- a/pkg/apis/onepassword/v1/onepasswordsecret_types.go
+++ b/pkg/apis/onepassword/v1/onepasswordsecret_types.go
@@ -26,6 +26,7 @@ type OnePasswordItemStatus struct {
 type OnePasswordItem struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Type              string `json:"type,omitempty"`

 	Spec   OnePasswordItemSpec   `json:"spec,omitempty"`
 	Status OnePasswordItemStatus `json:"status,omitempty"`
--- a/pkg/controller/deployment/deployment_controller.go
+++ b/pkg/controller/deployment/deployment_controller.go
@@ -191,6 +191,9 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
 	reqLog := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)

 	secretName := annotations[op.NameAnnotation]
+	secretLabels := map[string]string(nil)
+	secretType := ""
+
 	if len(secretName) == 0 {
 		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
 		return nil
@@ -201,5 +204,5 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}

-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation])
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, secretType, annotations)
 }
--- a/pkg/controller/deployment/deployment_controller_test.go
+++ b/pkg/controller/deployment/deployment_controller_test.go
@@ -258,7 +258,7 @@ var tests = []testReconcileItem{
 		},
 	},
 	{
-		testName: "Test Do not update if OnePassword Item Version has not changed",
+		testName: "Test Do not update if Annotations have not changed",
 		deploymentResource: &appsv1.Deployment{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       deploymentKind,
@@ -271,6 +271,7 @@ var tests = []testReconcileItem{
 					op.ItemPathAnnotation: itemPath,
 					op.NameAnnotation:     name,
 				},
+				Labels: map[string]string{},
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -278,7 +279,9 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
 				},
 			},
 			Data: expectedSecretData,
@@ -289,8 +292,11 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
 				},
+				Labels: map[string]string(nil),
 			},
 			Data: expectedSecretData,
 		},
@@ -323,6 +329,7 @@ var tests = []testReconcileItem{
 					op.VersionAnnotation: "456",
 				},
 			},
+			Type: corev1.SecretType(""),
 			Data: expectedSecretData,
 		},
 		expectedError: nil,
@@ -334,6 +341,7 @@ var tests = []testReconcileItem{
 					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
+			Type: corev1.SecretType(""),
 			Data: expectedSecretData,
 		},
 		opItem: map[string]string{
@@ -367,6 +375,7 @@ var tests = []testReconcileItem{
 					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
+			Type: corev1.SecretType(""),
 			Data: expectedSecretData,
 		},
 		opItem: map[string]string{
--- a/pkg/controller/onepassworditem/onepassworditem_controller.go
+++ b/pkg/controller/onepassworditem/onepassworditem_controller.go
@@ -144,12 +144,15 @@ func (r *ReconcileOnePasswordItem) removeOnePasswordFinalizerFromOnePasswordItem

 func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1.OnePasswordItem, request reconcile.Request) error {
 	secretName := resource.GetName()
-	autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation]
+	labels := resource.Labels
+	annotations := resource.Annotations
+	secretType := resource.Type
+	autoRestart := annotations[op.RestartDeploymentsAnnotation]

 	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}

-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart)
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart, labels, secretType, annotations)
 }
--- a/pkg/controller/onepassworditem/onepassworditem_test.go
+++ b/pkg/controller/onepassworditem/onepassworditem_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"testing"

+	"github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
 	"github.com/1Password/onepassword-operator/pkg/mocks"
 	op "github.com/1Password/onepassword-operator/pkg/onepassword"

@@ -31,6 +32,9 @@ const (
 	itemId                    = "nwrhuano7bcwddcviubpp4mhfq"
 	username                  = "test-user"
 	password                  = "QmHumKc$mUeEem7caHtbaBaJ"
+	firstHost                 = "http://localhost:8080"
+	awsKey                    = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+	iceCream                  = "freezing blue 20%"
 	userKey                   = "username"
 	passKey                   = "password"
 	version                   = 123
@@ -116,7 +120,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
 				},
 			},
 			Data: expectedSecretData,
@@ -127,7 +132,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
 				},
 			},
 			Data: expectedSecretData,
@@ -147,6 +153,11 @@ var tests = []testReconcileItem{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+				Labels: map[string]string{},
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
 				ItemPath: itemPath,
@@ -157,8 +168,10 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: "456",
+					op.VersionAnnotation:  "456",
+					op.ItemPathAnnotation: itemPath,
 				},
+				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -168,8 +181,10 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
 				},
+				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -178,6 +193,59 @@ var tests = []testReconcileItem{
 			passKey: password,
 		},
 	},
+	{
+		testName: "Test Updating Type of Existing Kubernetes Secret using OnePasswordItem",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+				Labels: map[string]string{},
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+			Type: string(corev1.SecretTypeBasicAuth),
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+				Labels: map[string]string{},
+			},
+			Type: corev1.SecretTypeBasicAuth,
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+				Labels: map[string]string{},
+			},
+			Type: corev1.SecretTypeBasicAuth,
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
 	{
 		testName: "Custom secret type",
 		customResource: &onepasswordv1.OnePasswordItem{
@@ -192,6 +260,7 @@ var tests = []testReconcileItem{
 			Spec: onepasswordv1.OnePasswordItemSpec{
 				ItemPath: itemPath,
 			},
+			Type: "custom",
 		},
 		existingSecret: nil,
 		expectedError:  nil,
@@ -203,6 +272,7 @@ var tests = []testReconcileItem{
 					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
+			Type: corev1.SecretType("custom"),
 			Data: expectedSecretData,
 		},
 		opItem: map[string]string{
@@ -210,6 +280,164 @@ var tests = []testReconcileItem{
 			passKey: password,
 		},
 	},
+	{
+		testName: "Error if secret type is changed",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+			Type: "custom",
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Type: corev1.SecretTypeOpaque,
+			Data: expectedSecretData,
+		},
+		expectedError: kubernetessecrets.ErrCannotUpdateSecretType,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Type: corev1.SecretTypeOpaque,
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Secret from 1Password item with invalid K8s labels",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!my sECReT it3m%",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret-it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Secret from 1Password item with fields and sections that have invalid K8s labels",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!my sECReT it3m%",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret-it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: map[string][]byte{
+				"password":       []byte(password),
+				"username":       []byte(username),
+				"first-host":     []byte(firstHost),
+				"AWS-Access-Key": []byte(awsKey),
+				"ice-cream-type": []byte(iceCream),
+			},
+		},
+		opItem: map[string]string{
+			userKey:            username,
+			passKey:            password,
+			"first host":       firstHost,
+			"AWS Access Key":   awsKey,
+			"😄 ice-cream type": iceCream,
+		},
+	},
+	{
+		testName: "Secret from 1Password item with `-`, `_` and `.`",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!.my_sECReT.it3m%-_",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret.it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: map[string][]byte{
+				"password":          []byte(password),
+				"username":          []byte(username),
+				"first-host":        []byte(firstHost),
+				"AWS-Access-Key":    []byte(awsKey),
+				"-_ice_cream.type.": []byte(iceCream),
+			},
+		},
+		opItem: map[string]string{
+			userKey:               username,
+			passKey:               password,
+			"first host":          firstHost,
+			"AWS Access Key":      awsKey,
+			"😄 -_ice_cream.type.": iceCream,
+		},
+	},
 }

 func TestReconcileOnePasswordItem(t *testing.T) {
@@ -241,7 +469,10 @@ func TestReconcileOnePasswordItem(t *testing.T) {
 			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {

 				item := onepassword.Item{}
-				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
+				item.Fields = []*onepassword.ItemField{}
+				for k, v := range testData.opItem {
+					item.Fields = append(item.Fields, &onepassword.ItemField{Label: k, Value: v})
+				}
 				item.Version = version
 				item.Vault.ID = vaultUUID
 				item.ID = uuid
@@ -257,8 +488,8 @@ func TestReconcileOnePasswordItem(t *testing.T) {
 			// watched resource .
 			req := reconcile.Request{
 				NamespacedName: types.NamespacedName{
-					Name:      name,
-					Namespace: namespace,
+					Name:      testData.customResource.ObjectMeta.Name,
+					Namespace: testData.customResource.ObjectMeta.Namespace,
 				},
 			}
 			_, err := r.Reconcile(req)
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -4,12 +4,21 @@ import (
 	"context"
 	"fmt"

+	"regexp"
+	"strings"
+
+	"reflect"
+
+	errs "errors"
+
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/1Password/onepassword-operator/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+
 	kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -21,24 +30,33 @@ const restartAnnotation = OnepasswordPrefix + "/last-restarted"
 const ItemPathAnnotation = OnepasswordPrefix + "/item-path"
 const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"

+var ErrCannotUpdateSecretType = errs.New("Cannot change secret type. Secret type is immutable")
+
 var log = logf.Log

-func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string) error {
+func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string, labels map[string]string, secretType string, secretAnnotations map[string]string) error {

 	itemVersion := fmt.Sprint(item.Version)
-	annotations := map[string]string{
-		VersionAnnotation:  itemVersion,
-		ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID),
+
+	// If secretAnnotations is nil we create an empty map so we can later assign values for the OP Annotations in the map
+	if secretAnnotations == nil {
+		secretAnnotations = map[string]string{}
 	}
+
+	secretAnnotations[VersionAnnotation] = itemVersion
+	secretAnnotations[ItemPathAnnotation] = fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID)
+
 	if autoRestart != "" {
 		_, err := utils.StringToBool(autoRestart)
 		if err != nil {
 			log.Error(err, "Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secretName)
 			return err
 		}
-		annotations[RestartDeploymentsAnnotation] = autoRestart
+		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
 	}
-	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, annotations, *item)
+
+	// "Opaque" and "" secret types are treated the same by Kubernetes.
+	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, secretType, *item)

 	currentSecret := &corev1.Secret{}
 	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
@@ -49,9 +67,17 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 		return err
 	}

-	if currentSecret.Annotations[VersionAnnotation] != itemVersion {
+	currentAnnotations := currentSecret.Annotations
+	currentLabels := currentSecret.Labels
+	currentSecretType := string(currentSecret.Type)
+	if !reflect.DeepEqual(currentSecretType, secretType) {
+		return ErrCannotUpdateSecretType
+	}
+
+	if !reflect.DeepEqual(currentAnnotations, secretAnnotations) || !reflect.DeepEqual(currentLabels, labels) {
 		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
-		currentSecret.ObjectMeta.Annotations = annotations
+		currentSecret.ObjectMeta.Annotations = secretAnnotations
+		currentSecret.ObjectMeta.Labels = labels
 		currentSecret.Data = secret.Data
 		return kubeClient.Update(context.Background(), currentSecret)
 	}
@@ -60,14 +86,16 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 	return nil
 }

-func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, item onepassword.Item) *corev1.Secret {
+func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, secretType string, item onepassword.Item) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        name,
+			Name:        formatSecretName(name),
 			Namespace:   namespace,
 			Annotations: annotations,
+			Labels:      labels,
 		},
 		Data: BuildKubernetesSecretData(item.Fields),
+		Type: corev1.SecretType(secretType),
 	}
 }

@@ -75,8 +103,59 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
 	secretData := map[string][]byte{}
 	for i := 0; i < len(fields); i++ {
 		if fields[i].Value != "" {
-			secretData[fields[i].Label] = []byte(fields[i].Value)
+			key := formatSecretDataName(fields[i].Label)
+			secretData[key] = []byte(fields[i].Value)
 		}
 	}
 	return secretData
 }
+
+// formatSecretName rewrites a value to be a valid Secret name.
+//
+// The Secret meta.name and data keys must be valid DNS subdomain names
+// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+func formatSecretName(value string) string {
+	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
+		return value
+	}
+	return createValidSecretName(value)
+}
+
+// formatSecretDataName rewrites a value to be a valid Secret data key.
+//
+// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
+// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+func formatSecretDataName(value string) string {
+	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
+		return value
+	}
+	return createValidSecretDataName(value)
+}
+
+var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
+
+func createValidSecretName(value string) string {
+	result := strings.ToLower(value)
+	result = invalidDNS1123Chars.ReplaceAllString(result, "-")
+
+	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
+		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
+	}
+
+	// first and last character MUST be alphanumeric
+	return strings.Trim(result, "-.")
+}
+
+var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
+var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
+
+func createValidSecretDataName(value string) string {
+	result := invalidStartEndChars.ReplaceAllString(value, "")
+	result = invalidDataChars.ReplaceAllString(result, "-")
+
+	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
+		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
+	}
+
+	return result
+}
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -30,7 +31,13 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"

 	kubeClient := fake.NewFakeClient()
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
+	secretType := ""
+
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -42,6 +49,10 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	compareFields(item.Fields, createdSecret.Data, t)
 	compareAnnotationsToItem(createdSecret.Annotations, item, t)
+
+	if createdSecret.Annotations["testAnnotation"] != "exists" {
+		t.Errorf("Expected testAnnotation to be merged with existing annotations, but wasn't.")
+	}
 }

 func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
@@ -55,7 +66,12 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"

 	kubeClient := fake.NewFakeClient()
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{}
+	secretType := ""
+
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations)
+
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -66,7 +82,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	newItem.Version = 456
 	newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
 	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
-	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation)
+	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -99,9 +115,11 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	item := onepassword.Item{}
 	item.Fields = generateFields(5)
+	labels := map[string]string{}
+	secretType := ""

-	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
-	if kubeSecret.Name != name {
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, secretType, item)
+	if kubeSecret.Name != strings.ToLower(name) {
 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
 	}
 	if kubeSecret.Namespace != namespace {
@@ -113,6 +131,79 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	compareFields(item.Fields, kubeSecret.Data, t)
 }

+func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
+	name := "inV@l1d k8s secret%name"
+	expectedName := "inv-l1d-k8s-secret-name"
+	namespace := "someNamespace"
+	annotations := map[string]string{
+		"annotationKey": "annotationValue",
+	}
+	labels := map[string]string{}
+	item := onepassword.Item{}
+	secretType := ""
+
+	item.Fields = []*onepassword.ItemField{
+		{
+			Label: "label w%th invalid ch!rs-",
+			Value: "value1",
+		},
+		{
+			Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1),
+			Value: "name exceeds max length",
+		},
+	}
+
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, secretType, item)
+
+	// Assert Secret's meta.name was fixed
+	if kubeSecret.Name != expectedName {
+		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
+	}
+	if kubeSecret.Namespace != namespace {
+		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
+	}
+
+	// assert labels were fixed for each data key
+	for key := range kubeSecret.Data {
+		if !validLabel(key) {
+			t.Errorf("Expected valid kubernetes label, got %s", key)
+		}
+	}
+}
+
+func TestCreateKubernetesTLSSecretFromOnePasswordItem(t *testing.T) {
+	secretName := "tls-test-secret-name"
+	namespace := "test"
+
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	item.Version = 123
+	item.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
+
+	kubeClient := fake.NewFakeClient()
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
+	secretType := "kubernetes.io/tls"
+
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	createdSecret := &corev1.Secret{}
+	err = kubeClient.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret)
+
+	if err != nil {
+		t.Errorf("Secret was not created: %v", err)
+	}
+
+	if createdSecret.Type != corev1.SecretTypeTLS {
+		t.Errorf("Expected secretType to be of tyype corev1.SecretTypeTLS, got %s", string(createdSecret.Type))
+	}
+}
+
 func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
 	actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
 	if err != nil {
@@ -164,3 +255,10 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
 	}
 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
 }
+
+func validLabel(v string) bool {
+	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
+		return false
+	}
+	return true
+}
--- a/pkg/onepassword/connect_setup.go
+++ b/pkg/onepassword/connect_setup.go
@@ -2,6 +2,7 @@ package onepassword

 import (
 	"context"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"

 	appsv1 "k8s.io/api/apps/v1"
@@ -17,13 +18,13 @@ var logConnectSetup = logf.Log.WithName("ConnectSetup")
 var deploymentPath = "deploy/connect/deployment.yaml"
 var servicePath = "deploy/connect/service.yaml"

-func SetupConnect(kubeClient client.Client) error {
-	err := setupService(kubeClient, servicePath)
+func SetupConnect(kubeClient client.Client, deploymentNamespace string) error {
+	err := setupService(kubeClient, servicePath, deploymentNamespace)
 	if err != nil {
 		return err
 	}

-	err = setupDeployment(kubeClient, deploymentPath)
+	err = setupDeployment(kubeClient, deploymentPath, deploymentNamespace)
 	if err != nil {
 		return err
 	}
@@ -31,22 +32,22 @@ func SetupConnect(kubeClient client.Client) error {
 	return nil
 }

-func setupDeployment(kubeClient client.Client, deploymentPath string) error {
+func setupDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
 	existingDeployment := &appsv1.Deployment{}

 	// check if deployment has already been created
-	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}, existingDeployment)
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingDeployment)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			logConnectSetup.Info("No existing Connect deployment found. Creating Deployment")
-			return createDeployment(kubeClient, deploymentPath)
+			return createDeployment(kubeClient, deploymentPath, deploymentNamespace)
 		}
 	}
 	return err
 }

-func createDeployment(kubeClient client.Client, deploymentPath string) error {
-	deployment, err := getDeploymentToCreate(deploymentPath)
+func createDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
+	deployment, err := getDeploymentToCreate(deploymentPath, deploymentNamespace)
 	if err != nil {
 		return err
 	}
@@ -59,12 +60,16 @@ func createDeployment(kubeClient client.Client, deploymentPath string) error {
 	return nil
 }

-func getDeploymentToCreate(deploymentPath string) (*appsv1.Deployment, error) {
+func getDeploymentToCreate(deploymentPath string, deploymentNamespace string) (*appsv1.Deployment, error) {
 	f, err := os.Open(deploymentPath)
 	if err != nil {
 		return nil, err
 	}
-	deployment := &appsv1.Deployment{}
+	deployment := &appsv1.Deployment{
+		ObjectMeta: v1.ObjectMeta{
+			Namespace: deploymentNamespace,
+		},
+	}

 	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(deployment)
 	if err != nil {
@@ -73,26 +78,30 @@ func getDeploymentToCreate(deploymentPath string) (*appsv1.Deployment, error) {
 	return deployment, nil
 }

-func setupService(kubeClient client.Client, servicePath string) error {
+func setupService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
 	existingService := &corev1.Service{}

 	//check if service has already been created
-	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}, existingService)
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingService)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			logConnectSetup.Info("No existing Connect service found. Creating Service")
-			return createService(kubeClient, servicePath)
+			return createService(kubeClient, servicePath, deploymentNamespace)
 		}
 	}
 	return err
 }

-func createService(kubeClient client.Client, servicePath string) error {
+func createService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
 	f, err := os.Open(servicePath)
 	if err != nil {
 		return err
 	}
-	service := &corev1.Service{}
+	service := &corev1.Service{
+		ObjectMeta: v1.ObjectMeta{
+			Namespace: deploymentNamespace,
+		},
+	}

 	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(service)
 	if err != nil {
--- a/pkg/onepassword/connect_setup_test.go
+++ b/pkg/onepassword/connect_setup_test.go
@@ -25,7 +25,7 @@ func TestServiceSetup(t *testing.T) {
 	// Create a fake client to mock API calls.
 	client := fake.NewFakeClientWithScheme(s, objs...)

-	err := setupService(client, "../../deploy/connect/service.yaml")
+	err := setupService(client, "../../deploy/connect/service.yaml", defaultNamespacedName.Namespace)

 	if err != nil {
 		t.Errorf("Error Setting Up Connect: %v", err)
@@ -50,7 +50,7 @@ func TestDeploymentSetup(t *testing.T) {
 	// Create a fake client to mock API calls.
 	client := fake.NewFakeClientWithScheme(s, objs...)

-	err := setupDeployment(client, "../../deploy/connect/deployment.yaml")
+	err := setupDeployment(client, "../../deploy/connect/deployment.yaml", defaultNamespacedName.Namespace)

 	if err != nil {
 		t.Errorf("Error Setting Up Connect: %v", err)
--- a/pkg/onepassword/containers.go
+++ b/pkg/onepassword/containers.go
@@ -1,6 +1,8 @@
 package onepassword

-import corev1 "k8s.io/api/core/v1"
+import (
+	corev1 "k8s.io/api/core/v1"
+)

 func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool {
 	for i := 0; i < len(containers); i++ {
@@ -13,6 +15,15 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string
 				}
 			}
 		}
+		envFromVariables := containers[i].EnvFrom
+		for j := 0; j < len(envFromVariables); j++ {
+			if envFromVariables[j].SecretRef != nil {
+				_, ok := secrets[envFromVariables[j].SecretRef.Name]
+				if ok {
+					return true
+				}
+			}
+		}
 	}
 	return false
 }
@@ -28,6 +39,15 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st
 				}
 			}
 		}
+		envFromVariables := containers[i].EnvFrom
+		for j := 0; j < len(envFromVariables); j++ {
+			if envFromVariables[j].SecretRef != nil {
+				secret, ok := secrets[envFromVariables[j].SecretRef.LocalObjectReference.Name]
+				if ok {
+					updatedDeploymentSecrets[secret.Name] = secret
+				}
+			}
+		}
 	}
 	return updatedDeploymentSecrets
 }
--- a/pkg/onepassword/containers_test.go
+++ b/pkg/onepassword/containers_test.go
@@ -4,9 +4,10 @@ import (
 	"testing"

 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-func TestAreContainersUsingSecrets(t *testing.T) {
+func TestAreContainersUsingSecretsFromEnv(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
 		"onepassword-database-secret": &corev1.Secret{},
 		"onepassword-api-key":         &corev1.Secret{},
@@ -18,7 +19,26 @@ func TestAreContainersUsingSecrets(t *testing.T) {
 		"some_other_key",
 	}

-	containers := generateContainers(containerSecretNames)
+	containers := generateContainersWithSecretRefsFromEnv(containerSecretNames)
+
+	if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
+		t.Errorf("Expected that containers were using secrets but they were not detected.")
+	}
+}
+
+func TestAreContainersUsingSecretsFromEnvFrom(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": {},
+		"onepassword-api-key":         {},
+	}
+
+	containerSecretNames := []string{
+		"onepassword-database-secret",
+		"onepassword-api-key",
+		"some_other_key",
+	}
+
+	containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames)

 	if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
 		t.Errorf("Expected that containers were using secrets but they were not detected.")
@@ -27,17 +47,39 @@ func TestAreContainersUsingSecrets(t *testing.T) {

 func TestAreContainersNotUsingSecrets(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": &corev1.Secret{},
-		"onepassword-api-key":         &corev1.Secret{},
+		"onepassword-database-secret": {},
+		"onepassword-api-key":         {},
 	}

 	containerSecretNames := []string{
 		"some_other_key",
 	}

-	containers := generateContainers(containerSecretNames)
+	containers := generateContainersWithSecretRefsFromEnv(containerSecretNames)

 	if AreContainersUsingSecrets(containers, secretNamesToSearch) {
 		t.Errorf("Expected that containers were not using secrets but they were detected.")
 	}
 }
+
+func TestAppendUpdatedContainerSecretsParsesEnvFromEnv(t *testing.T) {
+	secretNamesToSearch := map[string]*corev1.Secret{
+		"onepassword-database-secret": {},
+		"onepassword-api-key":         {ObjectMeta: metav1.ObjectMeta{Name: "onepassword-api-key"}},
+	}
+
+	containerSecretNames := []string{
+		"onepassword-api-key",
+	}
+
+	containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames)
+
+	updatedDeploymentSecrets := map[string]*corev1.Secret{}
+	updatedDeploymentSecrets = AppendUpdatedContainerSecrets(containers, secretNamesToSearch, updatedDeploymentSecrets)
+
+	secretKeyName := "onepassword-api-key"
+
+	if updatedDeploymentSecrets[secretKeyName] != secretNamesToSearch[secretKeyName] {
+		t.Errorf("Expected that updated Secret from envfrom is found.")
+	}
+}
--- a/pkg/onepassword/deployments_test.go
+++ b/pkg/onepassword/deployments_test.go
@@ -39,7 +39,7 @@ func TestIsDeploymentUsingSecretsUsingContainers(t *testing.T) {
 	}

 	deployment := &appsv1.Deployment{}
-	deployment.Spec.Template.Spec.Containers = generateContainers(containerSecretNames)
+	deployment.Spec.Template.Spec.Containers = generateContainersWithSecretRefsFromEnv(containerSecretNames)
 	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
 		t.Errorf("Expected that deployment was using secrets but they were not detected.")
 	}
--- a/pkg/onepassword/object_generators_for_test.go
+++ b/pkg/onepassword/object_generators_for_test.go
@@ -17,8 +17,7 @@ func generateVolumes(names []string) []corev1.Volume {
 	}
 	return volumes
 }
-
-func generateContainers(names []string) []corev1.Container {
+func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container {
 	containers := []corev1.Container{}
 	for i := 0; i < len(names); i++ {
 		container := corev1.Container{
@@ -40,3 +39,16 @@ func generateContainers(names []string) []corev1.Container {
 	}
 	return containers
 }
+
+func generateContainersWithSecretRefsFromEnvFrom(names []string) []corev1.Container {
+	containers := []corev1.Container{}
+	for i := 0; i < len(names); i++ {
+		container := corev1.Container{
+			EnvFrom: []corev1.EnvFromSource{
+				{SecretRef: &corev1.SecretEnvSource{LocalObjectReference: corev1.LocalObjectReference{Name: names[i]}}},
+			},
+		}
+		containers = append(containers, container)
+	}
+	return containers
+}
--- a/pkg/onepassword/secret_update_handler.go
+++ b/pkg/onepassword/secret_update_handler.go
@@ -118,7 +118,8 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*

 		item, err := GetOnePasswordItemByPath(h.opConnectClient, secret.Annotations[ItemPathAnnotation])
 		if err != nil {
-			return nil, fmt.Errorf("Failed to retrieve item: %v", err)
+			log.Error(err, "failed to retrieve 1Password item at path \"%s\" for secret \"%s\"", secret.Annotations[ItemPathAnnotation], secret.Name)
+			continue
 		}

 		itemVersion := fmt.Sprint(item.Version)
@@ -131,7 +132,7 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 			}
 			log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
 			secret.Annotations[VersionAnnotation] = itemVersion
-			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, *item)
+			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, secret.Labels, string(secret.Type), *item)
 			h.client.Update(context.Background(), updatedSecret)
 			if updatedSecrets[secret.Namespace] == nil {
 				updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret)
Author	SHA1	Message	Date
Marton Soos	befcaae457	Fix typo in changelog	2022-02-21 11:49:14 +01:00
Marton Soos	b24aa48bd6	Add release notes for v1.2.0	2022-02-21 11:03:14 +01:00
Marton Soos	b1e251dee6	Merge pull request #74 from Nuglif/main Verify secrets and FromEnv in addition to Env	2022-02-18 20:13:08 +01:00
Marton Soos	a34c6e8b38	Merge pull request #87 from 1Password/feature/kubernetes-secret-types Feature: Support configuring Kubernetes secret type	2022-02-18 14:16:22 +01:00
Marton Soos	b16960057a	Update tests and add new test	2022-02-18 10:47:14 +01:00
Marton Soos	285496dc7e	Error when secret type is changed	2022-02-18 10:27:48 +01:00
Marton Soos	f38cf7e1c2	Fix tests and add new test	2022-02-17 21:23:22 +01:00
Marton Soos	bb7a0c8ca9	Simplify secret type cast and default to Opaque	2022-02-17 19:36:49 +01:00
Marton Soos	302653832e	Account for the fact that the '' type and Opaque are equivalent on secret comparison	2022-02-17 19:18:33 +01:00
Marton Soos	a1bcfdfdcb	Merge branch 'main' into feature/kubernetes-secret-types	2022-02-17 17:54:17 +01:00
Floris van der Grinten	c0f1632638	Merge pull request #72 from samifruit514/main More logging if 1password item cant be read and continue processing other items	2021-11-18 13:39:34 +01:00
Floris van der Grinten	c46065fa7a	Merge branch 'main' into samifruit514/main	2021-11-18 13:29:55 +01:00
Andres Montalban	5d229c42d5	feat: Allow configuration of the Kubernetes Secret type to be created	2021-11-18 08:32:55 -03:00
Joris Coenen	c7235b4f09	Merge pull request #49 from FabioAntunes/patch-1 Update README.md	2021-10-04 12:33:02 +02:00
Joris Coenen	5183fc129a	Merge branch 'main' into patch-1	2021-10-04 12:29:48 +02:00
David Gunter	7d619165b2	Merge pull request #76 from Klaudioz/patch-1 Removing $ from bash commands	2021-09-30 09:26:03 -07:00
Claudio Canales	0363ae1e4e	Removing $ from bash commands Using the copy button is bringing the commands with a $, which is giving the error `-bash: $: command not found` after pasting them to the console.	2021-09-29 16:16:45 -03:00
Samuel Archambault	d9e003bdb7	cleanup comments	2021-09-24 14:02:46 -04:00
Samuel Archambault	b25f943b3a	Verify secrets and FromEnv in addition to Env	2021-09-24 13:51:05 -04:00
Samuel Archambault	5fab662424	More logging if 1password item cant be read and continue processing others	2021-09-24 11:03:47 -04:00
David Gunter	d807e92c36	Merge pull request #71 from 1Password/release/v1.1.0 Prepare Release - v1.1.0	2021-09-23 11:21:16 -07:00
david.gunter	244771717c	Prepare release/1.1.0	2021-09-23 11:18:53 -07:00
Floris van der Grinten	7aeb36e383	Merge pull request #66 from 1Password/fix/handling-key-names Handling key names	2021-09-13 13:34:44 +02:00
Floris van der Grinten	5c2f840623	Merge pull request #43 from mcmarkj/pass-labels-and-annotations Add Labels & Annotations from OPObject to Secret	2021-09-13 13:33:38 +02:00
Eddy Filip	670040477e	Add max length for secret key names Max length for secret key names must be DNS1123 compliant (253)	2021-09-08 16:02:08 +03:00
Eddy Filip	a45a310611	Make secret names DNS1123 Subdomain compiant This is done while ensuring that secret keys are compliant (contain alphanumeric characters, `-`, `_` and `.`)	2021-09-08 15:36:40 +03:00
Eddy Filip	d80e8dd799	Add tests with names that contain `.` and `_`	2021-09-08 13:58:48 +03:00
Eddy Filip	88728909ff	Adjust regex to support `_` and `.` and trim them Now secret names can also contain `_` and `.` and they will be trimmed from start and end of string to be DNS1123 compliant	2021-09-08 13:49:32 +03:00
Marton Soos	e365ebfdfa	Fix tests	2021-09-03 15:42:02 +03:00
Marton Soos	2c4b4df01a	Do not make secret names lowercase on normalization	2021-09-03 15:41:46 +03:00
Jillian W	49d984c6f2	Merge pull request #64 from 1Password/release/v1.0.2 Preparing release	2021-08-27 15:32:40 -03:00
jillianwilson	72cad7284c	Preparing release	2021-08-27 15:21:07 -03:00
mcmarkj	0193a98681	Merge branch 'main' of github.com:1Password/onepassword-operator into pass-labels-and-annotations	2021-08-19 16:15:02 +01:00
mcmarkj	f241d7423d	Use deepequal	2021-08-19 16:11:29 +01:00
Eduard Filip	6043e0da0b	Merge pull request #58 from 1Password/dg/normalize-secret-name Add secret name normalizer to the operator.	2021-08-17 20:28:07 +02:00
Eddy Filip	753cc5e9a3	Update note in README The note now explains how the item title and fields are made into DNS subdomain-compliant names for creating Kubernetes secrets.	2021-08-16 15:24:04 +02:00
Eddy Filip	8cfe98073e	Improve testing Fix previous tests and add test for items with field names that are not valid DNS subdomain names.	2021-08-16 14:51:44 +02:00
mcmarkj	c0037526b0	remove commit file	2021-08-15 15:32:18 +01:00
david.gunter	96b42e7c52	Label normalizer now fixes both Secret names and data keys. Each key in the `data` section of a secret must also be a valid DNS subdomain. The operator needs to "fix" the 1Password item fields before trying to create the secret.	2021-08-06 13:18:21 -07:00
david.gunter	579b5848da	Add secret name normalizer to the operator. The operator will now reformat 1Password item names to become valid names K8s Secret objects. Secret names must be a valid DNS subdomain name. See more: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names	2021-08-05 16:39:55 -07:00
mcmarkj	dff934cbc3	Fix tests	2021-08-04 06:33:56 +01:00
mcmarkj	2096f4440f	add logic for checking for label or annotation updates	2021-08-03 21:32:04 +01:00
mcmarkj	b3fc707337	Merge branch 'main' of github.com:1Password/onepassword-operator into pass-labels-and-annotations	2021-07-23 15:29:24 +01:00
Fábio Antunes	313cd1169b	Update README.md Minor update to the README. Got me debugging for a few hours	2021-07-02 10:23:28 +01:00
Eduard Filip	b50d864b50	Merge pull request #46 from 1Password/connect-deploy-custom-namespace Add support custom namespace for connect deployment	2021-06-17 14:13:43 +03:00
Eduard Filip	1643385d9b	Merge pull request #45 from 1Password/fix/makefile Add missing argument for docker build	2021-06-17 14:13:11 +03:00
Eddy Filip	9441214733	Add support custom namespace for connect deployment Now when the operator is deployed with the `MANAGE_CONNECT` env var set to true, the connect instance is deployed in the same namespace as the operator.	2021-06-09 20:45:33 +03:00
Eddy Filip	7e4e988813	Add missing argument for docker build `make build` and `make build/local` would fail because the docker build commands were incomplete.	2021-06-09 16:02:05 +03:00
mcmarkj	fb1262f1bd	PR Feedback'	2021-06-07 21:51:44 +01:00
Simon Barendse	68f084080e	Merge pull request #40 from 1Password/feature/watch-namespaces-default Watch all namespaces by default	2021-06-07 14:25:48 +02:00
mcmarkj	a428fe7462	GoFMT	2021-05-28 18:15:17 +01:00
mcmarkj	ea2d1f8a09	Typo	2021-05-28 18:11:10 +01:00
mcmarkj	bd96d50a9b	Add Labels & Annotations from OPObject to Secret	2021-05-28 16:39:00 +01:00
Simon Barendse	859c9e3462	Watch all namespaces by default When nothing is configured, watch all namespaces by default. This makes it easier to get started. It also makes configuring to watch all namespaces less akward (currently you have to set the WATCH_NAMESPACE environment variable to the empty string to configure the operator to watch all namespaces.	2021-05-14 14:26:30 +02:00
Simon Barendse	9dabac4a55	Merge pull request #35 from 1Password/auto-restart-annotation-example Fix examples using the auto-restart annotation	2021-05-07 11:33:54 +02:00
Simon Barendse	d927a08790	Fix examples using the auto-restart annotation	2021-05-03 18:14:02 +02:00
Simon Barendse	933f7c4e2c	Merge pull request #33 from lemichello/readme-token-name Make token name used in README and deploy/operator.yaml consistent	2021-05-03 18:04:07 +02:00
Floris van der Grinten	81eb9a521f	Merge pull request #34 from 1Password/support-links Update documentation links	2021-05-03 18:02:09 +02:00
Simon Barendse	eb32bd7f94	Update documentation links Also switch b5dev.com to 1password.com	2021-05-03 16:59:32 +02:00
Simon Barendse	a5781af949	Update documentation links The documentation is moved to our main support site when the operator was publicly released. The old URLs are redirected to the new URLs used in this commit, however, when redirecting the anchor is lost and the page is not scrolled to that position on the page. This commit fixes that by changing the URLs to the new URLs.	2021-05-03 16:56:49 +02:00
Maksym Lemich	0aa5781acd	renamed the proposed secret name for the token	2021-05-03 14:07:59 +03:00
Joris Coenen	700be4426f	Merge pull request #31 from 1Password/armv7-image Add arm/v7 image	2021-04-30 17:43:07 +02:00
Joris Coenen	76ef9aa372	Merge pull request #30 from 1Password/fix-cli-version Fix the version passed to the image	2021-04-30 16:39:29 +02:00
Joris Coenen	d7e6704314	Add arm/v7 image Needed to run on a Raspberry Pi. Arm/v6 would also be nice, but this does not seem to be supported by the current base image gcr.io/distroless/static:nonroot. So let's go with this for now.	2021-04-30 16:39:05 +02:00
Joris Coenen	2443979602	Fix the version passed to the image Contrary to what internet resources say, ${{github.event.ref}} also contains the `ref/tags/` prefix. That is removed now. Also, setting the version with plain "-X version.Version" does not seem to work consistently. Adding the full package as a prefix fixes this.	2021-04-30 16:12:45 +02:00
Joris Coenen	5b65196d31	Merge pull request #29 from 1Password/release/v1.0.1 Release v1.0.1	2021-04-30 14:31:35 +02:00
Joris Coenen	e7df8a485d	Fix inconsistency in .VERSION file	2021-04-30 14:28:36 +02:00
Joris Coenen	ded76138da	Prepare release v1.0.1	2021-04-30 14:24:33 +02:00
Joris Coenen	a5db6aeb81	Merge pull request #24 from 1Password/go-binaries-action Create GitHub Actions workflow to release to Docker Hub	2021-04-30 11:15:33 +02:00
Joris Coenen	d45f682c37	Rename job to release-docker Co-authored-by: Floris van der Grinten <floris.vandergrinten@agilebits.com>	2021-04-29 14:35:21 +02:00
Joris Coenen	d0c1235e58	Remove obsoleted goreleaser files	2021-04-23 18:45:06 +02:00
Joris Coenen	9e8f621020	Use docker buildx for building and pushing images This has the benefit that every tag only shows up as one image. With goreleaser, multiple images were shipped	2021-04-23 18:40:15 +02:00
Joris Coenen	8dd7a28456	Merge pull request #26 from 1Password/issue-templates Add GitHub issue templates	2021-04-22 18:38:29 +02:00
Joris Coenen	43b06dd7aa	Add GitHub issue templates	2021-04-22 13:38:35 +02:00
Joris Coenen	e8e01d6578	Also push :latest tag	2021-04-21 19:06:13 +02:00
Joris Coenen	b53e017b77	GitHub Action steps for publishing images to DockerHub	2021-04-21 18:41:30 +02:00
Joris Coenen	b2565cebf8	Add GoReleaser configuration for publishing docker images Should build both an amd64 and arm64 image and combine both in a single manifest. Does require some modifications to the GitHub Actions to correctly push to DockerHub. Used this blog post as inspiration: https://carlosbecker.com/posts/multi-platform-docker-images-goreleaser-gh-actions/	2021-04-21 18:18:47 +02:00
Joris Coenen	9459d2e292	Merge pull request #25 from 1Password/readme-update Minor README adjustments	2021-04-21 10:50:48 +02:00
jillianwilson	0409b17ef4	Minor README adjustments	2021-04-20 16:18:59 -03:00
@@ -1 +1 @@
 v1.0.0
 .2.0