Updating path for fetching 1password items to be of the op:// reference format

.VERSION

@@ -1 +1 @@
-1.1.0
+1.0.2

CHANGELOG.md

@@ -12,14 +12,6 @@
 
 ---
 
-[//]: # (START/v1.1.0)
-# v1.1.0
-
-## Fixes
- * Fix normalization for keys in a Secret's `data` section to allow upper- and lower-case alphanumeric characters. {#66}
-
----
-
 [//]: # (START/v1.0.2)
 # v1.0.2
 

Dockerfile

@@ -7,18 +7,18 @@ COPY go.mod go.mod
 COPY go.sum go.sum
 
 # Copy the go source
-COPY operator/cmd/manager/main.go operator/main.go
-COPY operator/pkg/ operator/pkg/
-COPY operator/version/ operator/version/
+COPY cmd/manager/main.go main.go
+COPY pkg/ pkg/
+COPY version/ version/
 COPY vendor/ vendor/
 # Build
 ARG operator_version=dev
 RUN CGO_ENABLED=0 \
     GO111MODULE=on \
     go build \
-    -ldflags "-X \"github.com/1Password/onepassword-operator/operator/version.Version=$operator_version\"" \
+    -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \
     -mod vendor \
-    -a -o manager operator/main.go
+    -a -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
@@ -26,6 +26,6 @@ FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER nonroot:nonroot
-COPY operator/deploy/connect/ operator/deploy/connect/
+COPY deploy/connect/ deploy/connect/
 
 ENTRYPOINT ["/manager"]

Makefile

@@ -19,17 +19,17 @@ test:	## Run test suite
 test/coverage:	## Run test suite with coverage report
 	go test -v ./... -cover
 
-build/operator:	## Build operator Docker image
-	@docker build -f operator/Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG) .
+build:	## Build operator Docker image
+	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG) .
 	@echo "Successfully built and tagged image."
 	@echo "Tag: $(DOCKER_IMG_TAG)"
 
-build/operator/local:	## Build local version of the operator Docker image 
-	@docker build -f operator/Dockerfile -t local/$(DOCKER_IMG_TAG) .
+build/local:	## Build local version of the operator Docker image
+	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG) .
 
-build/operator/binary: clean	## Build operator binary
+build/binary: clean	## Build operator binary
 	@mkdir -p dist
-	@go build -mod vendor -a -o manager ./operator/cmd/manager/main.go
+	@go build -mod vendor -a -o manager ./cmd/manager/main.go
 	@mv manager ./dist
 
 clean:

README.md

@@ -1,19 +1,232 @@
-# 1Password for Kubernetes
-
-This repository includes various tooling for integrating 1Password secrets wtih Kubernetes.
-
-## 1Password Connect Kubernetes Operator
+# 1Password Connect Kubernetes Operator
 
 The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes with 1Password. This Operator manages `OnePasswordItem` Custom Resource Definitions (CRDs) that define the location of an Item stored in 1Password. The `OnePasswordItem` CRD, when created, will be used to compose a Kubernetes Secret containing the contents of the specified item.
 
-The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Path on a deployment.
+The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Reference on a deployment.
 
 The 1Password Connect Kubernetes Operator will continually check for updates from 1Password for any Kubernetes Secret that it has generated. If a Kubernetes Secret is updated, any Deployment using that secret can be automatically restarted.
 
-[Click here for more details on the 1Password Kubernetes Operator](operator/README.md)
+## Setup
+
+Prerequisites:
+
+- [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
+- [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+- [docker installed](https://docs.docker.com/get-docker/)
+- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.1password.com/secrets-automation/)
+- [1Password Connect deployed to Kubernetes](https://support.1password.com/connect-deploy-kubernetes/#step-2-deploy-a-1password-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
+
+### Quickstart for Deploying 1Password Connect to Kubernetes
 
 
-# Security
+#### Deploy with Helm
+The 1Password Connect Helm Chart helps to simplify the deployment of 1Password Connect and the 1Password Connect Kubernetes Operator to Kubernetes. 
+
+[The 1Password Connect Helm Chart can be found here.](https://github.com/1Password/connect-helm-charts)
+
+#### Deploy using the Connect Operator
+If 1Password Connect is already running, you can skip this step. This guide will provide a quickstart option for deploying a default configuration of 1Password Connect via starting the deploying the 1Password Connect Operator, however it is recommended that you instead deploy your own manifest file if customization of the 1Password Connect deployment is desired.
+
+Encode the 1password-credentials.json file you generated in the prerequisite steps and save it to a file named op-session:
+
+```bash
+$ cat 1password-credentials.json | base64 | \
+  tr '/+' '_-' | tr -d '=' | tr -d '\n' > op-session
+```
+
+Create a Kubernetes secret from the op-session file:
+```bash
+
+$  kubectl create secret generic op-credentials --from-file=1password-credentials.json
+```
+
+Add the following environment variable to the onepassword-connect-operator container in `deploy/operator.yaml`:
+```yaml
+- name: MANAGE_CONNECT
+  value: "true"
+```
+Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the `default` namespace.
+### Kubernetes Operator Deployment
+
+**Create Kubernetes Secret for OP_CONNECT_TOKEN**
+
+"Create a Connect token for the operator and save it as a Kubernetes Secret: 
+
+```bash
+$ kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"
+```
+
+If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:
+```bash
+$ kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
+```
+
+[More information on generating a token can be found here](https://support.1password.com/secrets-automation/#appendix-issue-additional-access-tokens)
+
+**Set Permissions For Operator**
+
+We must create a service account, role, and role binding and Kubernetes. Examples can be found in the `/deploy` folder.
+
+```bash
+$ kubectl apply -f deploy/permissions.yaml
+```
+
+**Create Custom One Password Secret Resource**
+
+```bash
+$ kubectl apply -f deploy/crds/onepassword.com_onepassworditems_crd.yaml
+```
+
+**Deploying the Operator**
+
+An sample Deployment yaml can be found at `/deploy/operator.yaml`.
+
+
+To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:
+
+- **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
+- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
+- **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
+- **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
+- **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
+
+Apply the deployment file:
+
+```yaml
+kubectl apply -f deploy/operator.yaml
+```
+
+## Usage
+
+To create a Kubernetes Secret from a 1Password item, create a yaml file with the following
+
+```yaml
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: <item_name> #this name will also be used for naming the generated kubernetes secret
+spec:
+  itemReference: "op://<vault_id_or_title>/<item_id_or_title>" 
+```
+
+Deploy the OnePasswordItem to Kubernetes:
+
+```bash
+$ kubectl apply -f <your_item>.yaml
+```
+
+To test that the Kubernetes Secret check that the following command returns a secret:
+
+```bash
+$ kubectl get secret <secret_name>
+```
+
+Note: Deleting the `OnePasswordItem` that you've created will automatically delete the created Kubernetes Secret.
+
+To create a single Kubernetes Secret for a deployment, add the following annotations to the deployment metadata:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-example
+  annotations:
+    operator.1password.io/item-reference: "op://<vault>/<item>"
+    operator.1password.io/item-name: "<secret_name>"
+```
+
+Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Reference.
+
+Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-reference` and `operator.1password.io/item-name` and no other deployment is using the secret.
+
+If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag `operator.1password.io:ignore-secret` to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.
+
+---
+**NOTE**
+
+If multiple 1Password vaults/items have the same `title` when using a title in the access reference, the desired action will be performed on the oldest vault/item. 
+
+Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
+ - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
+ - All whitespaces between words will be replaced by `-`
+ - All the letters will be lower-cased.
+
+---
+
+### Configuring Automatic Rolling Restarts of Deployments
+
+If a 1Password Item that is linked to a Kubernetes Secret is updated, any deployments configured to `auto-restart` AND are using that secret will be given a rolling restart the next time 1Password Connect is polled for updates.
+
+There are many levels of granularity on which to configure auto restarts on deployments: at the operator level, per-namespace, or per-deployment.
+
+**On the operator**: This method allows for managing auto restarts on all deployments within the namespaces watched by operator. Auto restarts can be enabled by setting the environemnt variable  `AUTO_RESTART` to true. If the value is not set, the operator will default this value to false.
+
+**Per Namespace**: This method allows for managing auto restarts on all deployments within a namespace. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired namespace. An example of this is shown below:
+```yaml
+# enabled auto restarts for all deployments within a namespace unless overwritten within a deployment
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "example-namespace"
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the operator will be used. This value can be overwritten by deployment.
+
+**Per Deployment**
+This method allows for managing auto restarts on a given deployment. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired deployment. An example of this is shown below:
+```yaml
+# enabled auto restarts for the deployment
+apiVersion: v1
+kind: Deployment
+metadata:
+  name: "example-deployment"
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the namespace will be used.
+
+**Per OnePasswordItem Custom Resource**
+This method allows for managing auto restarts on a given OnePasswordItem custom resource. Auto restarts can by managed by setting the annotation `operator.1password.io/auto_restart` to either `true` or `false` on the desired OnePasswordItem. An example of this is shown below:
+```yaml
+# enabled auto restarts for the OnePasswordItem
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: example
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the deployment will be used.
+
+## Development
+
+### Creating a Docker image
+
+To create a local version of the Docker image for testing, use the following `Makefile` target:
+```shell
+make build/local
+```
+
+### Building the Operator binary
+```shell
+make build/binary
+```
+
+The binary will be placed inside a `dist` folder within this repository.
+
+### Running Tests
+
+```shell
+make test
+```
+
+With coverage:
+```shell
+make test/coverage
+```
+
+## Security
 
 1Password requests you practice responsible disclosure if you discover a vulnerability. 
 

build/Dockerfile

@@ -0,0 +1,15 @@
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+
+ENV OPERATOR=/usr/local/bin/onepassword-connect-operator \
+    USER_UID=1001 \
+    USER_NAME=onepassword-connect-operator
+
+# install operator binary
+COPY build/_output/bin/op-kubernetes-connect-operator ${OPERATOR}
+
+COPY build/bin /usr/local/bin
+RUN  /usr/local/bin/user_setup
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+
+USER ${USER_UID}

build/bin/entrypoint

@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+exec ${OPERATOR} $@

build/bin/user_setup

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -x
+
+# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
+echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+mkdir -p "${HOME}"
+chown "${USER_UID}:0" "${HOME}"
+chmod ug+rwx "${HOME}"
+
+# no need for this script to remain in the image after running
+rm "$0"

cmd/manager/main.go

@@ -11,16 +11,16 @@ import (
 	"strings"
 	"time"
 
-	"github.com/1Password/onepassword-operator/operator/pkg/controller"
-	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/pkg/controller"
+	op "github.com/1Password/onepassword-operator/pkg/onepassword"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
 
-	"github.com/1Password/onepassword-operator/operator/pkg/apis"
-	"github.com/1Password/onepassword-operator/operator/version"
+	"github.com/1Password/onepassword-operator/pkg/apis"
+	"github.com/1Password/onepassword-operator/version"
 
 	"github.com/1Password/connect-sdk-go/connect"
 
@@ -178,7 +178,8 @@ func main() {
 				ticker.Stop()
 				return
 			case <-ticker.C:
-				updatedSecretsPoller.UpdateKubernetesSecretsTask()
+				err := updatedSecretsPoller.UpdateKubernetesSecretsTask()
+				log.Error(err, "Error occured during update secret task")
 			}
 		}
 	}()

deploy/crds/onepassword.com_onepassworditems_crd.yaml

@@ -33,7 +33,7 @@ spec:
           spec:
             description: OnePasswordItemSpec defines the desired state of OnePasswordItem
             properties:
-              itemPath:
+              itemReference:
                 type: string
             type: object
           status:

deploy/crds/onepassword.com_v1_onepassworditem_cr.yaml

@@ -3,4 +3,4 @@ kind: OnePasswordItem
 metadata:
   name: example
 spec:
-  itemPath: "vaults/<vault_id>/items/<item_id>"
+  itemReference: "op://<vault_id>/<item_id>"

deploy/operator.yaml

@@ -16,6 +16,7 @@ spec:
       containers:
         - name: onepassword-connect-operator
           image: 1password/onepassword-operator
+          imagePullPolicy: Never
           command: ["/manager"]
           env:
             - name: WATCH_NAMESPACE

operator/README.md

@@ -1,235 +0,0 @@
-# 1Password Connect Kubernetes Operator
-
-The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes with 1Password. This Operator manages `OnePasswordItem` Custom Resource Definitions (CRDs) that define the location of an Item stored in 1Password. The `OnePasswordItem` CRD, when created, will be used to compose a Kubernetes Secret containing the contents of the specified item.
-
-The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Path on a deployment.
-
-The 1Password Connect Kubernetes Operator will continually check for updates from 1Password for any Kubernetes Secret that it has generated. If a Kubernetes Secret is updated, any Deployment using that secret can be automatically restarted.
-
-## Setup
-
-Prerequisites:
-
-- [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
-- [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-- [docker installed](https://docs.docker.com/get-docker/)
-- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.1password.com/secrets-automation/)
-- [1Password Connect deployed to Kubernetes](https://support.1password.com/connect-deploy-kubernetes/#step-2-deploy-a-1password-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
-
-### Quickstart for Deploying 1Password Connect to Kubernetes
-
-
-#### Deploy with Helm
-The 1Password Connect Helm Chart helps to simplify the deployment of 1Password Connect and the 1Password Connect Kubernetes Operator to Kubernetes. 
-
-[The 1Password Connect Helm Chart can be found here.](https://github.com/1Password/connect-helm-charts)
-
-#### Deploy using the Connect Operator
-If 1Password Connect is already running, you can skip this step. This guide will provide a quickstart option for deploying a default configuration of 1Password Connect via starting the deploying the 1Password Connect Operator, however it is recommended that you instead deploy your own manifest file if customization of the 1Password Connect deployment is desired.
-
-Encode the 1password-credentials.json file you generated in the prerequisite steps and save it to a file named op-session:
-
-```bash
-$ cat 1password-credentials.json | base64 | \
-  tr '/+' '_-' | tr -d '=' | tr -d '\n' > op-session
-```
-
-Create a Kubernetes secret from the op-session file:
-```bash
-
-$  kubectl create secret generic op-credentials --from-file=1password-credentials.json
-```
-
-Add the following environment variable to the onepassword-connect-operator container in `deploy/operator.yaml`:
-```yaml
-- name: MANAGE_CONNECT
-  value: "true"
-```
-Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the `default` namespace.
-### Kubernetes Operator Deployment
-
-**Create Kubernetes Secret for OP_CONNECT_TOKEN**
-
-"Create a Connect token for the operator and save it as a Kubernetes Secret: 
-
-```bash
-$ kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"
-```
-
-If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:
-```bash
-$ kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
-```
-
-[More information on generating a token can be found here](https://support.1password.com/secrets-automation/#appendix-issue-additional-access-tokens)
-
-**Set Permissions For Operator**
-
-We must create a service account, role, and role binding and Kubernetes. Examples can be found in the `/deploy` folder.
-
-```bash
-$ kubectl apply -f deploy/permissions.yaml
-```
-
-**Create Custom One Password Secret Resource**
-
-```bash
-$ kubectl apply -f deploy/crds/onepassword.com_onepassworditems_crd.yaml
-```
-
-**Deploying the Operator**
-
-An sample Deployment yaml can be found at `/deploy/operator.yaml`.
-
-
-To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:
-
-- **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
-- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
-- **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
-- **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
-- **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
-
-Apply the deployment file:
-
-```yaml
-kubectl apply -f deploy/operator.yaml
-```
-
-## Usage
-
-To create a Kubernetes Secret from a 1Password item, create a yaml file with the following
-
-```yaml
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: <item_name> #this name will also be used for naming the generated kubernetes secret
-spec:
-  itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>" 
-```
-
-Deploy the OnePasswordItem to Kubernetes:
-
-```bash
-$ kubectl apply -f <your_item>.yaml
-```
-
-To test that the Kubernetes Secret check that the following command returns a secret:
-
-```bash
-$ kubectl get secret <secret_name>
-```
-
-Note: Deleting the `OnePasswordItem` that you've created will automatically delete the created Kubernetes Secret.
-
-To create a single Kubernetes Secret for a deployment, add the following annotations to the deployment metadata:
-
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: deployment-example
-  annotations:
-    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
-    operator.1password.io/item-name: "<secret_name>"
-```
-
-Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
-
-Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-path` and `operator.1password.io/item-name` and no other deployment is using the secret.
-
-If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag `operator.1password.io:ignore-secret` to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.
-
----
-**NOTE**
-
-If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. 
-
-Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
- - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
- - All whitespaces between words will be replaced by `-`
- - All the letters will be lower-cased.
-
----
-
-### Configuring Automatic Rolling Restarts of Deployments
-
-If a 1Password Item that is linked to a Kubernetes Secret is updated, any deployments configured to `auto-restart` AND are using that secret will be given a rolling restart the next time 1Password Connect is polled for updates.
-
-There are many levels of granularity on which to configure auto restarts on deployments: at the operator level, per-namespace, or per-deployment.
-
-**On the operator**: This method allows for managing auto restarts on all deployments within the namespaces watched by operator. Auto restarts can be enabled by setting the environemnt variable  `AUTO_RESTART` to true. If the value is not set, the operator will default this value to false.
-
-**Per Namespace**: This method allows for managing auto restarts on all deployments within a namespace. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired namespace. An example of this is shown below:
-```yaml
-# enabled auto restarts for all deployments within a namespace unless overwritten within a deployment
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: "example-namespace"
-  annotations:
-    operator.1password.io/auto-restart: "true"
-```
-If the value is not set, the auto reset settings on the operator will be used. This value can be overwritten by deployment.
-
-**Per Deployment**
-This method allows for managing auto restarts on a given deployment. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired deployment. An example of this is shown below:
-```yaml
-# enabled auto restarts for the deployment
-apiVersion: v1
-kind: Deployment
-metadata:
-  name: "example-deployment"
-  annotations:
-    operator.1password.io/auto-restart: "true"
-```
-If the value is not set, the auto reset settings on the namespace will be used.
-
-**Per OnePasswordItem Custom Resource**
-This method allows for managing auto restarts on a given OnePasswordItem custom resource. Auto restarts can by managed by setting the annotation `operator.1password.io/auto_restart` to either `true` or `false` on the desired OnePasswordItem. An example of this is shown below:
-```yaml
-# enabled auto restarts for the OnePasswordItem
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: example
-  annotations:
-    operator.1password.io/auto-restart: "true"
-```
-If the value is not set, the auto reset settings on the deployment will be used.
-
-## Development
-
-### Creating a Docker image
-
-To create a local version of the Docker image for testing, use the following `Makefile` target:
-```shell
-make build/local
-```
-
-### Building the Operator binary
-```shell
-make build/binary
-```
-
-The binary will be placed inside a `dist` folder within this repository.
-
-### Running Tests
-
-```shell
-make test
-```
-
-With coverage:
-```shell
-make test/coverage
-```
-
-## Security
-
-1Password requests you practice responsible disclosure if you discover a vulnerability. 
-
-Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits). 
-
-For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).

pkg/apis/addtoscheme_onepassword_v1.go

@@ -1,7 +1,7 @@
 package apis
 
 import (
-	v1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+	v1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
 )
 
 func init() {

pkg/apis/onepassword/v1/onepasswordsecret_types.go

@@ -8,7 +8,7 @@ import (
 
 // OnePasswordItemSpec defines the desired state of OnePasswordItem
 type OnePasswordItemSpec struct {
-	ItemPath string `json:"itemPath,omitempty"`
+	ItemReference string `json:"itemReference,omitempty"`
 }
 
 // OnePasswordItemStatus defines the observed state of OnePasswordItem

pkg/controller/add_deployment.go

@@ -1,7 +1,7 @@
 package controller
 
 import (
-	"github.com/1Password/onepassword-operator/operator/pkg/controller/deployment"
+	"github.com/1Password/onepassword-operator/pkg/controller/deployment"
 )
 
 func init() {

pkg/controller/add_onepassworditem.go

@@ -1,7 +1,7 @@
 package controller
 
 import (
-	"github.com/1Password/onepassword-operator/operator/pkg/controller/onepassworditem"
+	"github.com/1Password/onepassword-operator/pkg/controller/onepassworditem"
 )
 
 func init() {

pkg/controller/deployment/deployment_controller.go

@@ -4,9 +4,9 @@ import (
 	"context"
 	"fmt"
 
-	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
-	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
-	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
+	op "github.com/1Password/onepassword-operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/pkg/utils"
 
 	"regexp"
 
@@ -191,16 +191,15 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
 	reqLog := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
 
 	secretName := annotations[op.NameAnnotation]
-	secretLabels := map[string]string(nil)
 	if len(secretName) == 0 {
-		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
+		reqLog.Info("No 'item-name' annotation set. 'item-reference' and 'item-name' must be set as annotations to add new secret.")
 		return nil
 	}
 
-	item, err := op.GetOnePasswordItemByPath(r.opConnectClient, annotations[op.ItemPathAnnotation])
+	item, err := op.GetOnePasswordItemByReference(r.opConnectClient, annotations[op.ItemReferenceAnnotation])
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
 
-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, annotations)
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation])
 }

pkg/controller/deployment/deployment_controller_test.go

@@ -6,8 +6,8 @@ import (
 	"regexp"
 	"testing"
 
-	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
-	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/pkg/mocks"
+	op "github.com/1Password/onepassword-operator/pkg/onepassword"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/stretchr/testify/assert"
@@ -52,7 +52,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	ItemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )
 
 var (
@@ -76,8 +76,8 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -90,8 +90,8 @@ var tests = []testReconcileItem{
 				Name:      "another-deployment",
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 			Spec: appsv1.DeploymentSpec{
@@ -152,8 +152,8 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -166,8 +166,8 @@ var tests = []testReconcileItem{
 				Name:      "another-deployment",
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 			Spec: appsv1.DeploymentSpec{
@@ -235,8 +235,8 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -258,7 +258,7 @@ var tests = []testReconcileItem{
 		},
 	},
 	{
-		testName: "Test Do not update if Annotations have not changed",
+		testName: "Test Do not update if OnePassword Item Version has not changed",
 		deploymentResource: &appsv1.Deployment{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       deploymentKind,
@@ -268,10 +268,9 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
-				Labels: map[string]string{},
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -280,8 +279,6 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
 				},
 			},
 			Data: expectedSecretData,
@@ -293,10 +290,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
 				},
-				Labels: map[string]string(nil),
 			},
 			Data: expectedSecretData,
 		},
@@ -316,8 +310,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -358,8 +352,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},

pkg/controller/onepassworditem/onepassworditem_controller.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"fmt"
 
-	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
-	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
-	"github.com/1Password/onepassword-operator/operator/pkg/onepassword"
-	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
-	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
+	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
+	"github.com/1Password/onepassword-operator/pkg/onepassword"
+	op "github.com/1Password/onepassword-operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/pkg/utils"
 
 	"github.com/1Password/connect-sdk-go/connect"
 
@@ -144,14 +144,12 @@ func (r *ReconcileOnePasswordItem) removeOnePasswordFinalizerFromOnePasswordItem
 
 func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1.OnePasswordItem, request reconcile.Request) error {
 	secretName := resource.GetName()
-	labels := resource.Labels
-	annotations := resource.Annotations
-	autoRestart := annotations[op.RestartDeploymentsAnnotation]
+	autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation]
 
-	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
+	item, err := onepassword.GetOnePasswordItemByReference(r.opConnectClient, resource.Spec.ItemReference)
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
 
-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart, labels, annotations)
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart)
 }

pkg/controller/onepassworditem/onepassworditem_test.go

@@ -5,10 +5,10 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
-	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/pkg/mocks"
+	op "github.com/1Password/onepassword-operator/pkg/onepassword"
 
-	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/stretchr/testify/assert"
@@ -55,7 +55,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	itemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )
 
 var (
@@ -79,7 +79,7 @@ var tests = []testReconcileItem{
 				},
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -111,7 +111,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -119,8 +119,7 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation:  fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
+					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
 			Data: expectedSecretData,
@@ -131,8 +130,7 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation:  fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
+					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
 			Data: expectedSecretData,
@@ -152,14 +150,9 @@ var tests = []testReconcileItem{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
-				Annotations: map[string]string{
-					op.VersionAnnotation:  fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
-				},
-				Labels: map[string]string{},
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -167,10 +160,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation:  "456",
-					op.ItemPathAnnotation: itemPath,
+					op.VersionAnnotation: "456",
 				},
-				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -180,10 +171,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation:  fmt.Sprint(version),
-					op.ItemPathAnnotation: itemPath,
+					op.VersionAnnotation: fmt.Sprint(version),
 				},
-				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -204,7 +193,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: nil,
@@ -236,7 +225,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: nil,
@@ -268,7 +257,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: nil,
@@ -285,7 +274,7 @@ var tests = []testReconcileItem{
 				"password":       []byte(password),
 				"username":       []byte(username),
 				"first-host":     []byte(firstHost),
-				"AWS-Access-Key": []byte(awsKey),
+				"aws-access-key": []byte(awsKey),
 				"ice-cream-type": []byte(iceCream),
 			},
 		},
@@ -297,47 +286,6 @@ var tests = []testReconcileItem{
 			"😄 ice-cream type": iceCream,
 		},
 	},
-	{
-		testName: "Secret from 1Password item with `-`, `_` and `.`",
-		customResource: &onepasswordv1.OnePasswordItem{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       onePasswordItemKind,
-				APIVersion: onePasswordItemAPIVersion,
-			},
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "!.my_sECReT.it3m%-_",
-				Namespace: namespace,
-			},
-			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
-			},
-		},
-		existingSecret: nil,
-		expectedError:  nil,
-		expectedResultSecret: &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "my-secret.it3m",
-				Namespace: namespace,
-				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
-				},
-			},
-			Data: map[string][]byte{
-				"password":          []byte(password),
-				"username":          []byte(username),
-				"first-host":        []byte(firstHost),
-				"AWS-Access-Key":    []byte(awsKey),
-				"-_ice_cream.type.": []byte(iceCream),
-			},
-		},
-		opItem: map[string]string{
-			userKey:               username,
-			passKey:               password,
-			"first host":          firstHost,
-			"AWS Access Key":      awsKey,
-			"😄 -_ice_cream.type.": iceCream,
-		},
-	},
 }
 
 func TestReconcileOnePasswordItem(t *testing.T) {

pkg/kubernetessecrets/kubernetes_secrets_builder.go

@@ -7,10 +7,8 @@ import (
 	"regexp"
 	"strings"
 
-	"reflect"
-
 	"github.com/1Password/connect-sdk-go/onepassword"
-	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+	"github.com/1Password/onepassword-operator/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -25,32 +23,27 @@ const OnepasswordPrefix = "operator.1password.io"
 const NameAnnotation = OnepasswordPrefix + "/item-name"
 const VersionAnnotation = OnepasswordPrefix + "/item-version"
 const restartAnnotation = OnepasswordPrefix + "/last-restarted"
-const ItemPathAnnotation = OnepasswordPrefix + "/item-path"
+const ItemReferenceAnnotation = OnepasswordPrefix + "/item-reference"
 const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"
 
 var log = logf.Log
 
-func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string, labels map[string]string, secretAnnotations map[string]string) error {
+func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string) error {
 
 	itemVersion := fmt.Sprint(item.Version)
-
-	// If secretAnnotations is nil we create an empty map so we can later assign values for the OP Annotations in the map
-	if secretAnnotations == nil {
-		secretAnnotations = map[string]string{}
+	annotations := map[string]string{
+		VersionAnnotation:       itemVersion,
+		ItemReferenceAnnotation: fmt.Sprintf("op://%v/%v", item.Vault.ID, item.ID),
 	}
-
-	secretAnnotations[VersionAnnotation] = itemVersion
-	secretAnnotations[ItemPathAnnotation] = fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID)
-
 	if autoRestart != "" {
 		_, err := utils.StringToBool(autoRestart)
 		if err != nil {
 			log.Error(err, "Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secretName)
 			return err
 		}
-		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
+		annotations[RestartDeploymentsAnnotation] = autoRestart
 	}
-	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, *item)
+	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, annotations, *item)
 
 	currentSecret := &corev1.Secret{}
 	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
@@ -61,10 +54,9 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 		return err
 	}
 
-	if !reflect.DeepEqual(currentSecret.Annotations, secretAnnotations) || !reflect.DeepEqual(currentSecret.Labels, labels) {
+	if currentSecret.Annotations[VersionAnnotation] != itemVersion {
 		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
-		currentSecret.ObjectMeta.Annotations = secretAnnotations
-		currentSecret.ObjectMeta.Labels = labels
+		currentSecret.ObjectMeta.Annotations = annotations
 		currentSecret.Data = secret.Data
 		return kubeClient.Update(context.Background(), currentSecret)
 	}
@@ -73,13 +65,12 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 	return nil
 }
 
-func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, item onepassword.Item) *corev1.Secret {
+func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, item onepassword.Item) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        formatSecretName(name),
 			Namespace:   namespace,
 			Annotations: annotations,
-			Labels:      labels,
 		},
 		Data: BuildKubernetesSecretData(item.Fields),
 	}
@@ -89,17 +80,16 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
 	secretData := map[string][]byte{}
 	for i := 0; i < len(fields); i++ {
 		if fields[i].Value != "" {
-			key := formatSecretDataName(fields[i].Label)
+			key := formatSecretName(fields[i].Label)
 			secretData[key] = []byte(fields[i].Value)
 		}
 	}
 	return secretData
 }
 
-// formatSecretName rewrites a value to be a valid Secret name.
+// formatSecretName rewrites a value to be a valid Secret name or Secret data key.
 //
-// The Secret meta.name and data keys must be valid DNS subdomain names
-// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+// The Secret meta.name and data keys must be valid DNS subdomain names (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
 func formatSecretName(value string) string {
 	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
 		return value
@@ -107,18 +97,7 @@ func formatSecretName(value string) string {
 	return createValidSecretName(value)
 }
 
-// formatSecretDataName rewrites a value to be a valid Secret data key.
-//
-// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
-// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
-func formatSecretDataName(value string) string {
-	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
-		return value
-	}
-	return createValidSecretDataName(value)
-}
-
-var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
+var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-]+")
 
 func createValidSecretName(value string) string {
 	result := strings.ToLower(value)
@@ -129,19 +108,5 @@ func createValidSecretName(value string) string {
 	}
 
 	// first and last character MUST be alphanumeric
-	return strings.Trim(result, "-.")
-}
-
-var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
-var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
-
-func createValidSecretDataName(value string) string {
-	result := invalidStartEndChars.ReplaceAllString(value, "")
-	result = invalidDataChars.ReplaceAllString(result, "-")
-
-	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
-		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
-	}
-
-	return result
+	return strings.Trim(result, "-")
 }

pkg/kubernetessecrets/kubernetes_secrets_builder_test.go

@@ -6,10 +6,11 @@ import (
 	"strings"
 	"testing"
 
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
-	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -31,11 +32,7 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
 
 	kubeClient := fake.NewFakeClient()
-	secretLabels := map[string]string{}
-	secretAnnotations := map[string]string{
-		"testAnnotation": "exists",
-	}
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -46,11 +43,7 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 		t.Errorf("Secret was not created: %v", err)
 	}
 	compareFields(item.Fields, createdSecret.Data, t)
-	compareAnnotationsToItem(createdSecret.Annotations, item, t)
-
-	if createdSecret.Annotations["testAnnotation"] != "exists" {
-		t.Errorf("Expected testAnnotation to be merged with existing annotations, but wasn't.")
-	}
+	compareAnnotationsToItem(item.Vault.ID, item.ID, createdSecret.Annotations, item, t)
 }
 
 func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
@@ -64,9 +57,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
 
 	kubeClient := fake.NewFakeClient()
-	secretLabels := map[string]string{}
-	secretAnnotations := map[string]string{}
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -77,7 +68,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	newItem.Version = 456
 	newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
 	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
-	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretAnnotations)
+	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -88,7 +79,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 		t.Errorf("Secret was not found: %v", err)
 	}
 	compareFields(newItem.Fields, updatedSecret.Data, t)
-	compareAnnotationsToItem(updatedSecret.Annotations, newItem, t)
+	compareAnnotationsToItem(newItem.Vault.ID, newItem.ID, updatedSecret.Annotations, newItem, t)
 }
 func TestBuildKubernetesSecretData(t *testing.T) {
 	fields := generateFields(5)
@@ -110,9 +101,8 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	item := onepassword.Item{}
 	item.Fields = generateFields(5)
-	labels := map[string]string{}
 
-	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, item)
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
 	if kubeSecret.Name != strings.ToLower(name) {
 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
 	}
@@ -132,7 +122,6 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 	annotations := map[string]string{
 		"annotationKey": "annotationValue",
 	}
-	labels := map[string]string{}
 	item := onepassword.Item{}
 
 	item.Fields = []*onepassword.ItemField{
@@ -146,7 +135,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 		},
 	}
 
-	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels,  item)
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
 
 	// Assert Secret's meta.name was fixed
 	if kubeSecret.Name != expectedName {
@@ -164,11 +153,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 	}
 }
 
-func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
-	actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
-	if err != nil {
-		t.Errorf("Was unable to parse Item Path")
-	}
+func compareAnnotationsToItem(actualVaultId, actualItemId string, annotations map[string]string, item onepassword.Item, t *testing.T) {
 	if actualVaultId != item.Vault.ID {
 		t.Errorf("Expected annotation vault id to be %v but was %v", item.Vault.ID, actualVaultId)
 	}
@@ -208,16 +193,8 @@ func generateFields(numToGenerate int) []*onepassword.ItemField {
 	return fields
 }
 
-func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
-	splitPath := strings.Split(path, "/")
-	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
-		return splitPath[1], splitPath[3], nil
-	}
-	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
-}
-
 func validLabel(v string) bool {
-	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
+	if err := kubeValidate.IsDNS1123Subdomain(v); len(err) > 0 {
 		return false
 	}
 	return true

pkg/onepassword/annotations.go

@@ -9,7 +9,7 @@ import (
 
 const (
 	OnepasswordPrefix            = "operator.1password.io"
-	ItemPathAnnotation           = OnepasswordPrefix + "/item-path"
+	ItemReferenceAnnotation      = OnepasswordPrefix + "/item-reference"
 	NameAnnotation               = OnepasswordPrefix + "/item-name"
 	VersionAnnotation            = OnepasswordPrefix + "/item-version"
 	RestartAnnotation            = OnepasswordPrefix + "/last-restarted"

pkg/onepassword/annotations_test.go

@@ -22,7 +22,7 @@ func TestFilterAnnotations(t *testing.T) {
 	if len(filteredAnnotations) != 2 {
 		t.Errorf("Unexpected number of filtered annotations returned. Expected 2, got %v", len(filteredAnnotations))
 	}
-	_, found := filteredAnnotations[ItemPathAnnotation]
+	_, found := filteredAnnotations[ItemReferenceAnnotation]
 	if !found {
 		t.Errorf("One Password Annotation was filtered when it should not have been")
 	}
@@ -87,7 +87,7 @@ func TestGetNoAnnotationsForDeployment(t *testing.T) {
 
 func getValidAnnotations() map[string]string {
 	return map[string]string{
-		ItemPathAnnotation: "vaults/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f/items/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f",
-		NameAnnotation:     "secretName",
+		ItemReferenceAnnotation: "op://b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f",
+		NameAnnotation:          "secretName",
 	}
 }

pkg/onepassword/items.go

@@ -11,11 +11,16 @@ import (
 
 var logger = logf.Log.WithName("retrieve_item")
 
-func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*onepassword.Item, error) {
-	vaultValue, itemValue, err := ParseVaultAndItemFromPath(path)
+const (
+	secretReferencePrefix = "op://"
+)
+
+func GetOnePasswordItemByReference(opConnectClient connect.Client, reference string) (*onepassword.Item, error) {
+	vaultValue, itemValue, err := ParseReference(reference)
 	if err != nil {
 		return nil, err
 	}
+
 	vaultId, err := getVaultId(opConnectClient, vaultValue)
 	if err != nil {
 		return nil, err
@@ -33,12 +38,28 @@ func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*one
 	return item, nil
 }
 
-func ParseVaultAndItemFromPath(path string) (string, string, error) {
-	splitPath := strings.Split(path, "/")
-	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
-		return splitPath[1], splitPath[3], nil
+func ParseReference(reference string) (string, string, error) {
+	if !strings.HasPrefix(reference, secretReferencePrefix) {
+		return "", "", fmt.Errorf("secret reference should start with `op://`")
 	}
-	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
+	path := strings.TrimPrefix(reference, secretReferencePrefix)
+
+	splitPath := strings.Split(path, "/")
+	if len(splitPath) != 2 {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Secret references should match op://<vault>/<item>", reference)
+	}
+
+	vault := splitPath[0]
+	if vault == "" {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Vault can't be empty.", reference)
+	}
+
+	item := splitPath[1]
+	if item == "" {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Item can't be empty.", reference)
+	}
+
+	return vault, item, nil
 }
 
 func getVaultId(client connect.Client, vaultIdentifier string) (string, error) {

pkg/onepassword/secret_update_handler.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"time"
 
-	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
-	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
+	"github.com/1Password/onepassword-operator/pkg/utils"
 
 	"github.com/1Password/connect-sdk-go/connect"
 	"github.com/1Password/connect-sdk-go/onepassword"
@@ -110,13 +110,13 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 	for i := 0; i < len(secrets.Items); i++ {
 		secret := secrets.Items[i]
 
-		itemPath := secret.Annotations[ItemPathAnnotation]
+		itemReference := secret.Annotations[ItemReferenceAnnotation]
 		currentVersion := secret.Annotations[VersionAnnotation]
-		if len(itemPath) == 0 || len(currentVersion) == 0 {
+		if len(itemReference) == 0 || len(currentVersion) == 0 {
 			continue
 		}
 
-		item, err := GetOnePasswordItemByPath(h.opConnectClient, secret.Annotations[ItemPathAnnotation])
+		item, err := GetOnePasswordItemByReference(h.opConnectClient, secret.Annotations[ItemReferenceAnnotation])
 		if err != nil {
 			return nil, fmt.Errorf("Failed to retrieve item: %v", err)
 		}
@@ -131,7 +131,7 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 			}
 			log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
 			secret.Annotations[VersionAnnotation] = itemVersion
-			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, secret.Labels, *item)
+			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, *item)
 			h.client.Update(context.Background(), updatedSecret)
 			if updatedSecrets[secret.Namespace] == nil {
 				updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret)

pkg/onepassword/secret_update_handler_test.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
+	"github.com/1Password/onepassword-operator/pkg/mocks"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/stretchr/testify/assert"
@@ -51,7 +51,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	itemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )
 
 var defaultNamespace = &corev1.Namespace{
@@ -73,8 +73,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					NameAnnotation:     "unlrelated secret",
-					ItemPathAnnotation: itemPath,
+					NameAnnotation:          "unlrelated secret",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 		},
@@ -83,8 +83,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -95,8 +95,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -149,8 +149,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -161,8 +161,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -186,8 +186,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					ItemPathAnnotation: itemPath,
-					NameAnnotation:     name,
+					ItemReferenceAnnotation: itemReference,
+					NameAnnotation:          name,
 				},
 			},
 		},
@@ -196,8 +196,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -208,8 +208,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -255,8 +255,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -267,8 +267,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -292,8 +292,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					ItemPathAnnotation: itemPath,
-					NameAnnotation:     name,
+					ItemReferenceAnnotation: itemReference,
+					NameAnnotation:          name,
 				},
 			},
 		},
@@ -302,8 +302,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -314,8 +314,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -369,8 +369,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -381,8 +381,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -439,7 +439,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            "old version",
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "true",
 				},
 			},
@@ -452,7 +452,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            fmt.Sprint(itemVersion),
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "true",
 				},
 			},
@@ -510,7 +510,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            "old version",
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "false",
 				},
 			},
@@ -523,7 +523,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            fmt.Sprint(itemVersion),
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "false",
 				},
 			},
@@ -580,8 +580,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -592,8 +592,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -657,8 +657,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -669,8 +669,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -730,8 +730,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -742,8 +742,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,