Updating path for fetching 1password items to be of the op:// reference format

Merge pull request #64 from 1Password/release/v1.0.2
Preparing release
2025-10-22 15:38:06 +00:00 · 2021-09-13 10:33:34 -03:00 · 2021-08-27 15:32:40 -03:00 · 2021-08-27 15:21:07 -03:00 · 2021-08-17 20:28:07 +02:00 · 2021-08-16 15:24:04 +02:00
30 changed files with 491 additions and 167 deletions
--- a/.VERSION
+++ b/.VERSION
@@ -1 +1 @@
-v1.0.0
+1.0.2
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Report bugs and errors found while using the Operator.
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+### Your environment
+
+<!-- Version of the Operator when the error occurred -->
+Operator Version:
+
+<!-- What version of the Connect server are you running?
+You can get this information from the Integrations section in 1Password
+https://start.1password.com/integrations/active
+-->
+Connect Server Version:
+
+<!-- What version of Kubernetes have you deployed the operator to? -->
+Kubernetes Version:
+
+## What happened?
+<!-- Describe the bug or error -->
+
+## What did you expect to happen?
+<!-- Describe what should have happened -->
+
+## Steps to reproduce
+1. <!-- Describe Steps to reproduce the issue -->
+
+
+## Notes & Logs
+<!-- Paste any logs here that may help with debugging.
+Remember to remove any sensitive information before sharing! -->
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,9 @@
+# docs: https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
+blank_issues_enabled: true
+contact_links:
+  - name: 1Password Community
+    url: https://1password.community/categories/secrets-automation
+    about: Please ask general Secrets Automation questions here.
+  - name: 1Password Security Bug Bounty
+    url: https://bugcrowd.com/agilebits
+    about: Please report security vulnerabilities here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,32 @@
+---
+name: Feature request
+about: Suggest an idea for the Operator
+title: ''
+labels: feature-request
+assignees: ''
+
+---
+
+### Summary
+<!-- Briefly describe the feature in one or two sentences. You can include more details later. -->
+
+### Use cases
+<!-- Describe the use cases that make this feature useful to others.
+The description should help the reader understand why the feature is necessary.
+The better we understand your use case, the better we can help create an appropriate solution. -->
+
+### Proposed solution
+<!-- If you already have an idea for how the feature should work, use this space to describe it.
+We'll work with you to find a workable approach, and any implementation details are appreciated.
+-->
+
+### Is there a workaround to accomplish this today?
+<!-- If there's a way to accomplish this feature request without changes to the codebase, we'd like to hear it.
+-->
+
+### References & Prior Work
+<!-- If a similar feature was implemented in another project or tool, add a link so we can better understand your request.
+Links to relevant documentation or RFCs are also appreciated. -->
+
+* <!-- Reference 1 -->
+* <!-- Reference 2, etc -->
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,20 +1,11 @@
 name: Build and Test
-
-on:
-  push:
-    branches:
-      - '**'
-  pull_request:
-    branches:
-      - $default-branch
+on: [push, pull_request]

 jobs:
-
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
-
    - name: Set up Go 1.x
      uses: actions/setup-go@v2
      with:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,57 @@
+name: release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release-docker:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Docker meta
+        id: meta
+        uses: crazy-max/ghaction-docker-meta@v2
+        with:
+          images: |
+            1password/onepassword-operator
+          # Publish image for x.y.z and x.y
+          # The latest tag is automatically added for semver tags
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - name: Get the version from tag
+        id: get_version
+        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/v}
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Docker Login
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            operator_version=${{ steps.get_version.outputs.VERSION }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,23 @@

 ---

+[//]: # (START/v1.0.2)
+# v1.0.2
+
+## Fixes
+ * Name normalizer added to handle non-conforming item names.
+
+---
+
+[//]: # (START/v1.0.1)
+# v1.0.1
+
+## Features
+* This release also contains an arm64 Docker image. {#20}
+* Docker images are also pushed to the :latest and :<major>.<minor> tags.
+
+---
+
 [//]: # (START/v1.0.0)
 # v1.0.0

--- a/4
+++ b/4
@@ -14,11 +14,9 @@ COPY vendor/ vendor/
 # Build
 ARG operator_version=dev
 RUN CGO_ENABLED=0 \
-    GOOS=linux \
-    GOARCH=amd64 \
    GO111MODULE=on \
    go build \
-    -ldflags "-X version.Version=$operator_version" \
+    -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \
    -mod vendor \
    -a -o manager main.go

--- a/4
+++ b/4
@@ -20,12 +20,12 @@ test/coverage:	## Run test suite with coverage report
 	go test -v ./... -cover

 build:	## Build operator Docker image
-	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG)
+	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG) .
 	@echo "Successfully built and tagged image."
 	@echo "Tag: $(DOCKER_IMG_TAG)"

 build/local:	## Build local version of the operator Docker image
-	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG)
+	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG) .

 build/binary: clean	## Build operator binary
 	@mkdir -p dist
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes with 1Password. This Operator manages `OnePasswordItem` Custom Resource Definitions (CRDs) that define the location of an Item stored in 1Password. The `OnePasswordItem` CRD, when created, will be used to compose a Kubernetes Secret containing the contents of the specified item.

-The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Path on a deployment.
+The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Reference on a deployment.

 The 1Password Connect Kubernetes Operator will continually check for updates from 1Password for any Kubernetes Secret that it has generated. If a Kubernetes Secret is updated, any Deployment using that secret can be automatically restarted.

@@ -13,8 +13,8 @@ Prerequisites:
 - [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
 - [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 - [docker installed](https://docs.docker.com/get-docker/)
- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.b5dev.com/cs/connect)
- [1Password Connect deployed to Kubernetes](https://support.b5dev.com/cs/connect-deploy-kubernetes/#step-2-deploy-a-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
+- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.1password.com/secrets-automation/)
+- [1Password Connect deployed to Kubernetes](https://support.1password.com/connect-deploy-kubernetes/#step-2-deploy-a-1password-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.

 ### Quickstart for Deploying 1Password Connect to Kubernetes

@@ -53,15 +53,15 @@ Adding this environment variable will have the operator automatically deploy a d
 "Create a Connect token for the operator and save it as a Kubernetes Secret: 

 ```bash
-$ kubectl create secret generic op-operator-connect-token --from-literal=token=<OP_CONNECT_TOKEN>"
+$ kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"
 ```

 If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:
 ```bash
-$ kubectl create secret generic op-operator-connect-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
+$ kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
 ```

-[More information on generating a token can be found here](https://support.1password.com/cs/secrets-automation/#appendix-issue-additional-access-tokens)
+[More information on generating a token can be found here](https://support.1password.com/secrets-automation/#appendix-issue-additional-access-tokens)

 **Set Permissions For Operator**

@@ -84,9 +84,9 @@ An sample Deployment yaml can be found at `/deploy/operator.yaml`.

 To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:

- **WATCH_NAMESPACE:** comma separated list of what Namespaces to watch for changes.
 - **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
- **POLLING_INTERVAL** (default: 600)**:** The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
+- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
+- **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
 - **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
 - **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.

@@ -102,11 +102,11 @@ To create a Kubernetes Secret from a 1Password item, create a yaml file with the

 ```yaml
 apiVersion: onepassword.com/v1
-kind: OnePasswordItem # {insert_new_name}
+kind: OnePasswordItem
 metadata:
  name: <item_name> #this name will also be used for naming the generated kubernetes secret
 spec:
-  itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>" 
+  itemReference: "op://<vault_id_or_title>/<item_id_or_title>" 
 ```

 Deploy the OnePasswordItem to Kubernetes:
@@ -131,20 +131,25 @@ kind: Deployment
 metadata:
  name: deployment-example
  annotations:
-    operator.1password.io/item-path: "vaults/{vault_id_or_title}/items/{item_id_or_title}"
-    operator.1password.io/item-name: "{secret_name}"
+    operator.1password.io/item-reference: "op://<vault>/<item>"
+    operator.1password.io/item-name: "<secret_name>"
 ```

-Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
+Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Reference.

-Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-path` and `operator.1password.io/item-name` and no other deployment is using the secret.
+Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-reference` and `operator.1password.io/item-name` and no other deployment is using the secret.

 If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag `operator.1password.io:ignore-secret` to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.

 ---
 **NOTE**

-If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. Furthermore, titles that include white space characters cannot be used.
+If multiple 1Password vaults/items have the same `title` when using a title in the access reference, the desired action will be performed on the oldest vault/item. 
+
+Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
+ - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
+ - All whitespaces between words will be replaced by `-`
+ - All the letters will be lower-cased.

 ---

@@ -163,7 +168,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: "example-namespace"
-  operator.1password.io/auto-restart: "true"
+  annotations:
+    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the operator will be used. This value can be overwritten by deployment.

@@ -175,7 +181,8 @@ apiVersion: v1
 kind: Deployment
 metadata:
  name: "example-deployment"
-  operator.1password.io/auto-restart: "true"
+  annotations:
+    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the namespace will be used.

@@ -187,7 +194,8 @@ apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: example
-  operator.1password.io/auto-restart: "true"
+  annotations:
+    operator.1password.io/auto-restart: "true"
 ```
 If the value is not set, the auto reset settings on the deployment will be used.

@@ -224,4 +232,4 @@ make test/coverage

 Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits). 

-For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
+For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -83,9 +83,11 @@ func main() {

 	printVersion()

-	namespace, err := k8sutil.GetWatchNamespace()
+	namespace := os.Getenv(k8sutil.WatchNamespaceEnvVar)
+
+	deploymentNamespace, err := k8sutil.GetOperatorNamespace()
 	if err != nil {
-		log.Error(err, "Failed to get watch namespace")
+		log.Error(err, "Failed to get namespace")
 		os.Exit(1)
 	}

@@ -139,7 +141,7 @@ func main() {
 		go func() {
 			connectStarted := false
 			for connectStarted == false {
-				err := op.SetupConnect(mgr.GetClient())
+				err := op.SetupConnect(mgr.GetClient(), deploymentNamespace)
 				// Cache Not Started is an acceptable error. Retry until cache is started.
 				if err != nil && !errors.Is(err, &cache.ErrCacheNotStarted{}) {
 					log.Error(err, "")
@@ -176,7 +178,8 @@ func main() {
 				ticker.Stop()
 				return
 			case <-ticker.C:
-				updatedSecretsPoller.UpdateKubernetesSecretsTask()
+				err := updatedSecretsPoller.UpdateKubernetesSecretsTask()
+				log.Error(err, "Error occured during update secret task")
 			}
 		}
 	}()
--- a/deploy/connect/deployment.yaml
+++ b/deploy/connect/deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: onepassword-connect
-  namespace: default
 spec:
  selector:
    matchLabels:
--- a/deploy/connect/service.yaml
+++ b/deploy/connect/service.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: onepassword-connect
-  namespace: default
 spec:
  type: NodePort
  selector:
--- a/deploy/crds/onepassword.com_onepassworditems_crd.yaml
+++ b/deploy/crds/onepassword.com_onepassworditems_crd.yaml
@@ -33,7 +33,7 @@ spec:
          spec:
            description: OnePasswordItemSpec defines the desired state of OnePasswordItem
            properties:
-              itemPath:
+              itemReference:
                type: string
            type: object
          status:
--- a/deploy/crds/onepassword.com_v1_onepassworditem_cr.yaml
+++ b/deploy/crds/onepassword.com_v1_onepassworditem_cr.yaml
@@ -3,4 +3,4 @@ kind: OnePasswordItem
 metadata:
  name: example
 spec:
-  itemPath: "vaults/<vault_id>/items/<item_id>"
+  itemReference: "op://<vault_id>/<item_id>"
--- a/deploy/operator.yaml
+++ b/deploy/operator.yaml
@@ -16,6 +16,7 @@ spec:
      containers:
        - name: onepassword-connect-operator
          image: 1password/onepassword-operator
+          imagePullPolicy: Never
          command: ["/manager"]
          env:
            - name: WATCH_NAMESPACE
--- a/pkg/apis/onepassword/v1/onepasswordsecret_types.go
+++ b/pkg/apis/onepassword/v1/onepasswordsecret_types.go
@@ -8,7 +8,7 @@ import (

 // OnePasswordItemSpec defines the desired state of OnePasswordItem
 type OnePasswordItemSpec struct {
-	ItemPath string `json:"itemPath,omitempty"`
+	ItemReference string `json:"itemReference,omitempty"`
 }

 // OnePasswordItemStatus defines the observed state of OnePasswordItem
--- a/pkg/controller/deployment/deployment_controller.go
+++ b/pkg/controller/deployment/deployment_controller.go
@@ -192,11 +192,11 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat

 	secretName := annotations[op.NameAnnotation]
 	if len(secretName) == 0 {
-		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
+		reqLog.Info("No 'item-name' annotation set. 'item-reference' and 'item-name' must be set as annotations to add new secret.")
 		return nil
 	}

-	item, err := op.GetOnePasswordItemByPath(r.opConnectClient, annotations[op.ItemPathAnnotation])
+	item, err := op.GetOnePasswordItemByReference(r.opConnectClient, annotations[op.ItemReferenceAnnotation])
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
--- a/pkg/controller/deployment/deployment_controller_test.go
+++ b/pkg/controller/deployment/deployment_controller_test.go
@@ -52,7 +52,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	ItemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )

 var (
@@ -76,8 +76,8 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -90,8 +90,8 @@ var tests = []testReconcileItem{
 				Name:      "another-deployment",
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 			Spec: appsv1.DeploymentSpec{
@@ -152,8 +152,8 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -166,8 +166,8 @@ var tests = []testReconcileItem{
 				Name:      "another-deployment",
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 			Spec: appsv1.DeploymentSpec{
@@ -235,8 +235,8 @@ var tests = []testReconcileItem{
 					finalizer,
 				},
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -268,8 +268,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -310,8 +310,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
@@ -352,8 +352,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.ItemPathAnnotation: itemPath,
-					op.NameAnnotation:     name,
+					op.ItemReferenceAnnotation: ItemReference,
+					op.NameAnnotation:          name,
 				},
 			},
 		},
--- a/pkg/controller/onepassworditem/onepassworditem_controller.go
+++ b/pkg/controller/onepassworditem/onepassworditem_controller.go
@@ -146,7 +146,7 @@ func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1
 	secretName := resource.GetName()
 	autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation]

-	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
+	item, err := onepassword.GetOnePasswordItemByReference(r.opConnectClient, resource.Spec.ItemReference)
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
--- a/pkg/controller/onepassworditem/onepassworditem_test.go
+++ b/pkg/controller/onepassworditem/onepassworditem_test.go
@@ -31,6 +31,9 @@ const (
 	itemId                    = "nwrhuano7bcwddcviubpp4mhfq"
 	username                  = "test-user"
 	password                  = "QmHumKc$mUeEem7caHtbaBaJ"
+	firstHost                 = "http://localhost:8080"
+	awsKey                    = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+	iceCream                  = "freezing blue 20%"
 	userKey                   = "username"
 	passKey                   = "password"
 	version                   = 123
@@ -52,7 +55,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	itemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )

 var (
@@ -76,7 +79,7 @@ var tests = []testReconcileItem{
 				},
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -108,7 +111,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -149,7 +152,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -190,7 +193,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
-				ItemPath: itemPath,
+				ItemReference: itemReference,
 			},
 		},
 		existingSecret: nil,
@@ -210,6 +213,79 @@ var tests = []testReconcileItem{
 			passKey: password,
 		},
 	},
+	{
+		testName: "Secret from 1Password item with invalid K8s labels",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!my sECReT it3m%",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemReference: itemReference,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret-it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Secret from 1Password item with fields and sections that have invalid K8s labels",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!my sECReT it3m%",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemReference: itemReference,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret-it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: map[string][]byte{
+				"password":       []byte(password),
+				"username":       []byte(username),
+				"first-host":     []byte(firstHost),
+				"aws-access-key": []byte(awsKey),
+				"ice-cream-type": []byte(iceCream),
+			},
+		},
+		opItem: map[string]string{
+			userKey:            username,
+			passKey:            password,
+			"first host":       firstHost,
+			"AWS Access Key":   awsKey,
+			"😄 ice-cream type": iceCream,
+		},
+	},
 }

 func TestReconcileOnePasswordItem(t *testing.T) {
@@ -241,7 +317,10 @@ func TestReconcileOnePasswordItem(t *testing.T) {
 			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {

 				item := onepassword.Item{}
-				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
+				item.Fields = []*onepassword.ItemField{}
+				for k, v := range testData.opItem {
+					item.Fields = append(item.Fields, &onepassword.ItemField{Label: k, Value: v})
+				}
 				item.Version = version
 				item.Vault.ID = vaultUUID
 				item.ID = uuid
@@ -257,8 +336,8 @@ func TestReconcileOnePasswordItem(t *testing.T) {
 			// watched resource .
 			req := reconcile.Request{
 				NamespacedName: types.NamespacedName{
-					Name:      name,
-					Namespace: namespace,
+					Name:      testData.customResource.ObjectMeta.Name,
+					Namespace: testData.customResource.ObjectMeta.Namespace,
 				},
 			}
 			_, err := r.Reconcile(req)
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -4,12 +4,17 @@ import (
 	"context"
 	"fmt"

+	"regexp"
+	"strings"
+
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/1Password/onepassword-operator/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+
 	kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -18,7 +23,7 @@ const OnepasswordPrefix = "operator.1password.io"
 const NameAnnotation = OnepasswordPrefix + "/item-name"
 const VersionAnnotation = OnepasswordPrefix + "/item-version"
 const restartAnnotation = OnepasswordPrefix + "/last-restarted"
-const ItemPathAnnotation = OnepasswordPrefix + "/item-path"
+const ItemReferenceAnnotation = OnepasswordPrefix + "/item-reference"
 const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"

 var log = logf.Log
@@ -27,8 +32,8 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa

 	itemVersion := fmt.Sprint(item.Version)
 	annotations := map[string]string{
-		VersionAnnotation:  itemVersion,
-		ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID),
+		VersionAnnotation:       itemVersion,
+		ItemReferenceAnnotation: fmt.Sprintf("op://%v/%v", item.Vault.ID, item.ID),
 	}
 	if autoRestart != "" {
 		_, err := utils.StringToBool(autoRestart)
@@ -63,7 +68,7 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, item onepassword.Item) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        name,
+			Name:        formatSecretName(name),
 			Namespace:   namespace,
 			Annotations: annotations,
 		},
@@ -75,8 +80,33 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
 	secretData := map[string][]byte{}
 	for i := 0; i < len(fields); i++ {
 		if fields[i].Value != "" {
-			secretData[fields[i].Label] = []byte(fields[i].Value)
+			key := formatSecretName(fields[i].Label)
+			secretData[key] = []byte(fields[i].Value)
 		}
 	}
 	return secretData
 }
+
+// formatSecretName rewrites a value to be a valid Secret name or Secret data key.
+//
+// The Secret meta.name and data keys must be valid DNS subdomain names (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+func formatSecretName(value string) string {
+	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
+		return value
+	}
+	return createValidSecretName(value)
+}
+
+var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-]+")
+
+func createValidSecretName(value string) string {
+	result := strings.ToLower(value)
+	result = invalidDNS1123Chars.ReplaceAllString(result, "-")
+
+	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
+		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
+	}
+
+	// first and last character MUST be alphanumeric
+	return strings.Trim(result, "-")
+}
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -6,6 +6,8 @@ import (
 	"strings"
 	"testing"

+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -41,7 +43,7 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 		t.Errorf("Secret was not created: %v", err)
 	}
 	compareFields(item.Fields, createdSecret.Data, t)
-	compareAnnotationsToItem(createdSecret.Annotations, item, t)
+	compareAnnotationsToItem(item.Vault.ID, item.ID, createdSecret.Annotations, item, t)
 }

 func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
@@ -77,7 +79,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 		t.Errorf("Secret was not found: %v", err)
 	}
 	compareFields(newItem.Fields, updatedSecret.Data, t)
-	compareAnnotationsToItem(updatedSecret.Annotations, newItem, t)
+	compareAnnotationsToItem(newItem.Vault.ID, newItem.ID, updatedSecret.Annotations, newItem, t)
 }
 func TestBuildKubernetesSecretData(t *testing.T) {
 	fields := generateFields(5)
@@ -101,7 +103,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.Fields = generateFields(5)

 	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
-	if kubeSecret.Name != name {
+	if kubeSecret.Name != strings.ToLower(name) {
 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
 	}
 	if kubeSecret.Namespace != namespace {
@@ -113,11 +115,45 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	compareFields(item.Fields, kubeSecret.Data, t)
 }

-func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
-	actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
-	if err != nil {
-		t.Errorf("Was unable to parse Item Path")
+func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
+	name := "inV@l1d k8s secret%name"
+	expectedName := "inv-l1d-k8s-secret-name"
+	namespace := "someNamespace"
+	annotations := map[string]string{
+		"annotationKey": "annotationValue",
 	}
+	item := onepassword.Item{}
+
+	item.Fields = []*onepassword.ItemField{
+		{
+			Label: "label w%th invalid ch!rs-",
+			Value: "value1",
+		},
+		{
+			Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1),
+			Value: "name exceeds max length",
+		},
+	}
+
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
+
+	// Assert Secret's meta.name was fixed
+	if kubeSecret.Name != expectedName {
+		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
+	}
+	if kubeSecret.Namespace != namespace {
+		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
+	}
+
+	// assert labels were fixed for each data key
+	for key := range kubeSecret.Data {
+		if !validLabel(key) {
+			t.Errorf("Expected valid kubernetes label, got %s", key)
+		}
+	}
+}
+
+func compareAnnotationsToItem(actualVaultId, actualItemId string, annotations map[string]string, item onepassword.Item, t *testing.T) {
 	if actualVaultId != item.Vault.ID {
 		t.Errorf("Expected annotation vault id to be %v but was %v", item.Vault.ID, actualVaultId)
 	}
@@ -157,10 +193,9 @@ func generateFields(numToGenerate int) []*onepassword.ItemField {
 	return fields
 }

-func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
-	splitPath := strings.Split(path, "/")
-	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
-		return splitPath[1], splitPath[3], nil
+func validLabel(v string) bool {
+	if err := kubeValidate.IsDNS1123Subdomain(v); len(err) > 0 {
+		return false
 	}
-	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
+	return true
 }
--- a/pkg/onepassword/annotations.go
+++ b/pkg/onepassword/annotations.go
@@ -9,7 +9,7 @@ import (

 const (
 	OnepasswordPrefix            = "operator.1password.io"
-	ItemPathAnnotation           = OnepasswordPrefix + "/item-path"
+	ItemReferenceAnnotation      = OnepasswordPrefix + "/item-reference"
 	NameAnnotation               = OnepasswordPrefix + "/item-name"
 	VersionAnnotation            = OnepasswordPrefix + "/item-version"
 	RestartAnnotation            = OnepasswordPrefix + "/last-restarted"
--- a/pkg/onepassword/annotations_test.go
+++ b/pkg/onepassword/annotations_test.go
@@ -22,7 +22,7 @@ func TestFilterAnnotations(t *testing.T) {
 	if len(filteredAnnotations) != 2 {
 		t.Errorf("Unexpected number of filtered annotations returned. Expected 2, got %v", len(filteredAnnotations))
 	}
-	_, found := filteredAnnotations[ItemPathAnnotation]
+	_, found := filteredAnnotations[ItemReferenceAnnotation]
 	if !found {
 		t.Errorf("One Password Annotation was filtered when it should not have been")
 	}
@@ -87,7 +87,7 @@ func TestGetNoAnnotationsForDeployment(t *testing.T) {

 func getValidAnnotations() map[string]string {
 	return map[string]string{
-		ItemPathAnnotation: "vaults/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f/items/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f",
-		NameAnnotation:     "secretName",
+		ItemReferenceAnnotation: "op://b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f",
+		NameAnnotation:          "secretName",
 	}
 }
--- a/pkg/onepassword/connect_setup.go
+++ b/pkg/onepassword/connect_setup.go
@@ -2,6 +2,7 @@ package onepassword

 import (
 	"context"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"

 	appsv1 "k8s.io/api/apps/v1"
@@ -17,13 +18,13 @@ var logConnectSetup = logf.Log.WithName("ConnectSetup")
 var deploymentPath = "deploy/connect/deployment.yaml"
 var servicePath = "deploy/connect/service.yaml"

-func SetupConnect(kubeClient client.Client) error {
-	err := setupService(kubeClient, servicePath)
+func SetupConnect(kubeClient client.Client, deploymentNamespace string) error {
+	err := setupService(kubeClient, servicePath, deploymentNamespace)
 	if err != nil {
 		return err
 	}

-	err = setupDeployment(kubeClient, deploymentPath)
+	err = setupDeployment(kubeClient, deploymentPath, deploymentNamespace)
 	if err != nil {
 		return err
 	}
@@ -31,22 +32,22 @@ func SetupConnect(kubeClient client.Client) error {
 	return nil
 }

-func setupDeployment(kubeClient client.Client, deploymentPath string) error {
+func setupDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
 	existingDeployment := &appsv1.Deployment{}

 	// check if deployment has already been created
-	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}, existingDeployment)
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingDeployment)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			logConnectSetup.Info("No existing Connect deployment found. Creating Deployment")
-			return createDeployment(kubeClient, deploymentPath)
+			return createDeployment(kubeClient, deploymentPath, deploymentNamespace)
 		}
 	}
 	return err
 }

-func createDeployment(kubeClient client.Client, deploymentPath string) error {
-	deployment, err := getDeploymentToCreate(deploymentPath)
+func createDeployment(kubeClient client.Client, deploymentPath string, deploymentNamespace string) error {
+	deployment, err := getDeploymentToCreate(deploymentPath, deploymentNamespace)
 	if err != nil {
 		return err
 	}
@@ -59,12 +60,16 @@ func createDeployment(kubeClient client.Client, deploymentPath string) error {
 	return nil
 }

-func getDeploymentToCreate(deploymentPath string) (*appsv1.Deployment, error) {
+func getDeploymentToCreate(deploymentPath string, deploymentNamespace string) (*appsv1.Deployment, error) {
 	f, err := os.Open(deploymentPath)
 	if err != nil {
 		return nil, err
 	}
-	deployment := &appsv1.Deployment{}
+	deployment := &appsv1.Deployment{
+		ObjectMeta: v1.ObjectMeta{
+			Namespace: deploymentNamespace,
+		},
+	}

 	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(deployment)
 	if err != nil {
@@ -73,26 +78,30 @@ func getDeploymentToCreate(deploymentPath string) (*appsv1.Deployment, error) {
 	return deployment, nil
 }

-func setupService(kubeClient client.Client, servicePath string) error {
+func setupService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
 	existingService := &corev1.Service{}

 	//check if service has already been created
-	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: "default"}, existingService)
+	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingService)
 	if err != nil {
 		if errors.IsNotFound(err) {
 			logConnectSetup.Info("No existing Connect service found. Creating Service")
-			return createService(kubeClient, servicePath)
+			return createService(kubeClient, servicePath, deploymentNamespace)
 		}
 	}
 	return err
 }

-func createService(kubeClient client.Client, servicePath string) error {
+func createService(kubeClient client.Client, servicePath string, deploymentNamespace string) error {
 	f, err := os.Open(servicePath)
 	if err != nil {
 		return err
 	}
-	service := &corev1.Service{}
+	service := &corev1.Service{
+		ObjectMeta: v1.ObjectMeta{
+			Namespace: deploymentNamespace,
+		},
+	}

 	err = yaml.NewYAMLOrJSONDecoder(f, 4096).Decode(service)
 	if err != nil {
--- a/pkg/onepassword/connect_setup_test.go
+++ b/pkg/onepassword/connect_setup_test.go
@@ -25,7 +25,7 @@ func TestServiceSetup(t *testing.T) {
 	// Create a fake client to mock API calls.
 	client := fake.NewFakeClientWithScheme(s, objs...)

-	err := setupService(client, "../../deploy/connect/service.yaml")
+	err := setupService(client, "../../deploy/connect/service.yaml", defaultNamespacedName.Namespace)

 	if err != nil {
 		t.Errorf("Error Setting Up Connect: %v", err)
@@ -50,7 +50,7 @@ func TestDeploymentSetup(t *testing.T) {
 	// Create a fake client to mock API calls.
 	client := fake.NewFakeClientWithScheme(s, objs...)

-	err := setupDeployment(client, "../../deploy/connect/deployment.yaml")
+	err := setupDeployment(client, "../../deploy/connect/deployment.yaml", defaultNamespacedName.Namespace)

 	if err != nil {
 		t.Errorf("Error Setting Up Connect: %v", err)
--- a/pkg/onepassword/items.go
+++ b/pkg/onepassword/items.go
@@ -11,11 +11,16 @@ import (

 var logger = logf.Log.WithName("retrieve_item")

-func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*onepassword.Item, error) {
-	vaultValue, itemValue, err := ParseVaultAndItemFromPath(path)
+const (
+	secretReferencePrefix = "op://"
+)
+
+func GetOnePasswordItemByReference(opConnectClient connect.Client, reference string) (*onepassword.Item, error) {
+	vaultValue, itemValue, err := ParseReference(reference)
 	if err != nil {
 		return nil, err
 	}
+
 	vaultId, err := getVaultId(opConnectClient, vaultValue)
 	if err != nil {
 		return nil, err
@@ -33,12 +38,28 @@ func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*one
 	return item, nil
 }

-func ParseVaultAndItemFromPath(path string) (string, string, error) {
-	splitPath := strings.Split(path, "/")
-	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
-		return splitPath[1], splitPath[3], nil
+func ParseReference(reference string) (string, string, error) {
+	if !strings.HasPrefix(reference, secretReferencePrefix) {
+		return "", "", fmt.Errorf("secret reference should start with `op://`")
 	}
-	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
+	path := strings.TrimPrefix(reference, secretReferencePrefix)
+
+	splitPath := strings.Split(path, "/")
+	if len(splitPath) != 2 {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Secret references should match op://<vault>/<item>", reference)
+	}
+
+	vault := splitPath[0]
+	if vault == "" {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Vault can't be empty.", reference)
+	}
+
+	item := splitPath[1]
+	if item == "" {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Item can't be empty.", reference)
+	}
+
+	return vault, item, nil
 }

 func getVaultId(client connect.Client, vaultIdentifier string) (string, error) {
--- a/pkg/onepassword/secret_update_handler.go
+++ b/pkg/onepassword/secret_update_handler.go
@@ -110,13 +110,13 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 	for i := 0; i < len(secrets.Items); i++ {
 		secret := secrets.Items[i]

-		itemPath := secret.Annotations[ItemPathAnnotation]
+		itemReference := secret.Annotations[ItemReferenceAnnotation]
 		currentVersion := secret.Annotations[VersionAnnotation]
-		if len(itemPath) == 0 || len(currentVersion) == 0 {
+		if len(itemReference) == 0 || len(currentVersion) == 0 {
 			continue
 		}

-		item, err := GetOnePasswordItemByPath(h.opConnectClient, secret.Annotations[ItemPathAnnotation])
+		item, err := GetOnePasswordItemByReference(h.opConnectClient, secret.Annotations[ItemReferenceAnnotation])
 		if err != nil {
 			return nil, fmt.Errorf("Failed to retrieve item: %v", err)
 		}
--- a/pkg/onepassword/secret_update_handler_test.go
+++ b/pkg/onepassword/secret_update_handler_test.go
@@ -51,7 +51,7 @@ var (
 		"password": []byte(password),
 		"username": []byte(username),
 	}
-	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+	itemReference = fmt.Sprintf("op://%v/%v", vaultId, itemId)
 )

 var defaultNamespace = &corev1.Namespace{
@@ -73,8 +73,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					NameAnnotation:     "unlrelated secret",
-					ItemPathAnnotation: itemPath,
+					NameAnnotation:          "unlrelated secret",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 		},
@@ -83,8 +83,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -95,8 +95,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -149,8 +149,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -161,8 +161,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -186,8 +186,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					ItemPathAnnotation: itemPath,
-					NameAnnotation:     name,
+					ItemReferenceAnnotation: itemReference,
+					NameAnnotation:          name,
 				},
 			},
 		},
@@ -196,8 +196,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -208,8 +208,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -255,8 +255,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -267,8 +267,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -292,8 +292,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					ItemPathAnnotation: itemPath,
-					NameAnnotation:     name,
+					ItemReferenceAnnotation: itemReference,
+					NameAnnotation:          name,
 				},
 			},
 		},
@@ -302,8 +302,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -314,8 +314,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -369,8 +369,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -381,8 +381,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -439,7 +439,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            "old version",
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "true",
 				},
 			},
@@ -452,7 +452,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            fmt.Sprint(itemVersion),
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "true",
 				},
 			},
@@ -510,7 +510,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            "old version",
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "false",
 				},
 			},
@@ -523,7 +523,7 @@ var tests = []testUpdateSecretTask{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					VersionAnnotation:            fmt.Sprint(itemVersion),
-					ItemPathAnnotation:           itemPath,
+					ItemReferenceAnnotation:      itemReference,
 					RestartDeploymentsAnnotation: "false",
 				},
 			},
@@ -580,8 +580,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -592,8 +592,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -657,8 +657,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -669,8 +669,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -730,8 +730,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  "old version",
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       "old version",
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
@@ -742,8 +742,8 @@ var tests = []testUpdateSecretTask{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					VersionAnnotation:  fmt.Sprint(itemVersion),
-					ItemPathAnnotation: itemPath,
+					VersionAnnotation:       fmt.Sprint(itemVersion),
+					ItemReferenceAnnotation: itemReference,
 				},
 			},
 			Data: expectedSecretData,
Author	SHA1	Message	Date
jillianwilson	1590dd9b89	Updating path for fetching 1password items to be of the op:// reference format	2021-09-13 10:33:34 -03:00
Jillian W	49d984c6f2	Merge pull request #64 from 1Password/release/v1.0.2 Preparing release	2021-08-27 15:32:40 -03:00
jillianwilson	72cad7284c	Preparing release	2021-08-27 15:21:07 -03:00
Eduard Filip	6043e0da0b	Merge pull request #58 from 1Password/dg/normalize-secret-name Add secret name normalizer to the operator.	2021-08-17 20:28:07 +02:00
Eddy Filip	753cc5e9a3	Update note in README The note now explains how the item title and fields are made into DNS subdomain-compliant names for creating Kubernetes secrets.	2021-08-16 15:24:04 +02:00
Eddy Filip	8cfe98073e	Improve testing Fix previous tests and add test for items with field names that are not valid DNS subdomain names.	2021-08-16 14:51:44 +02:00
david.gunter	96b42e7c52	Label normalizer now fixes both Secret names and data keys. Each key in the `data` section of a secret must also be a valid DNS subdomain. The operator needs to "fix" the 1Password item fields before trying to create the secret.	2021-08-06 13:18:21 -07:00
david.gunter	579b5848da	Add secret name normalizer to the operator. The operator will now reformat 1Password item names to become valid names K8s Secret objects. Secret names must be a valid DNS subdomain name. See more: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names	2021-08-05 16:39:55 -07:00
Eduard Filip	b50d864b50	Merge pull request #46 from 1Password/connect-deploy-custom-namespace Add support custom namespace for connect deployment	2021-06-17 14:13:43 +03:00
Eduard Filip	1643385d9b	Merge pull request #45 from 1Password/fix/makefile Add missing argument for docker build	2021-06-17 14:13:11 +03:00
Eddy Filip	9441214733	Add support custom namespace for connect deployment Now when the operator is deployed with the `MANAGE_CONNECT` env var set to true, the connect instance is deployed in the same namespace as the operator.	2021-06-09 20:45:33 +03:00
Eddy Filip	7e4e988813	Add missing argument for docker build `make build` and `make build/local` would fail because the docker build commands were incomplete.	2021-06-09 16:02:05 +03:00
Simon Barendse	68f084080e	Merge pull request #40 from 1Password/feature/watch-namespaces-default Watch all namespaces by default	2021-06-07 14:25:48 +02:00
Simon Barendse	859c9e3462	Watch all namespaces by default When nothing is configured, watch all namespaces by default. This makes it easier to get started. It also makes configuring to watch all namespaces less akward (currently you have to set the WATCH_NAMESPACE environment variable to the empty string to configure the operator to watch all namespaces.	2021-05-14 14:26:30 +02:00
Simon Barendse	9dabac4a55	Merge pull request #35 from 1Password/auto-restart-annotation-example Fix examples using the auto-restart annotation	2021-05-07 11:33:54 +02:00
Simon Barendse	d927a08790	Fix examples using the auto-restart annotation	2021-05-03 18:14:02 +02:00
Simon Barendse	933f7c4e2c	Merge pull request #33 from lemichello/readme-token-name Make token name used in README and deploy/operator.yaml consistent	2021-05-03 18:04:07 +02:00
Floris van der Grinten	81eb9a521f	Merge pull request #34 from 1Password/support-links Update documentation links	2021-05-03 18:02:09 +02:00
Simon Barendse	eb32bd7f94	Update documentation links Also switch b5dev.com to 1password.com	2021-05-03 16:59:32 +02:00
Simon Barendse	a5781af949	Update documentation links The documentation is moved to our main support site when the operator was publicly released. The old URLs are redirected to the new URLs used in this commit, however, when redirecting the anchor is lost and the page is not scrolled to that position on the page. This commit fixes that by changing the URLs to the new URLs.	2021-05-03 16:56:49 +02:00
Maksym Lemich	0aa5781acd	renamed the proposed secret name for the token	2021-05-03 14:07:59 +03:00
Joris Coenen	700be4426f	Merge pull request #31 from 1Password/armv7-image Add arm/v7 image	2021-04-30 17:43:07 +02:00
Joris Coenen	76ef9aa372	Merge pull request #30 from 1Password/fix-cli-version Fix the version passed to the image	2021-04-30 16:39:29 +02:00
Joris Coenen	d7e6704314	Add arm/v7 image Needed to run on a Raspberry Pi. Arm/v6 would also be nice, but this does not seem to be supported by the current base image gcr.io/distroless/static:nonroot. So let's go with this for now.	2021-04-30 16:39:05 +02:00
Joris Coenen	2443979602	Fix the version passed to the image Contrary to what internet resources say, ${{github.event.ref}} also contains the `ref/tags/` prefix. That is removed now. Also, setting the version with plain "-X version.Version" does not seem to work consistently. Adding the full package as a prefix fixes this.	2021-04-30 16:12:45 +02:00
Joris Coenen	5b65196d31	Merge pull request #29 from 1Password/release/v1.0.1 Release v1.0.1	2021-04-30 14:31:35 +02:00
Joris Coenen	e7df8a485d	Fix inconsistency in .VERSION file	2021-04-30 14:28:36 +02:00
Joris Coenen	ded76138da	Prepare release v1.0.1	2021-04-30 14:24:33 +02:00
Joris Coenen	a5db6aeb81	Merge pull request #24 from 1Password/go-binaries-action Create GitHub Actions workflow to release to Docker Hub	2021-04-30 11:15:33 +02:00
Joris Coenen	d45f682c37	Rename job to release-docker Co-authored-by: Floris van der Grinten <floris.vandergrinten@agilebits.com>	2021-04-29 14:35:21 +02:00
Joris Coenen	d0c1235e58	Remove obsoleted goreleaser files	2021-04-23 18:45:06 +02:00
Joris Coenen	9e8f621020	Use docker buildx for building and pushing images This has the benefit that every tag only shows up as one image. With goreleaser, multiple images were shipped	2021-04-23 18:40:15 +02:00
Joris Coenen	8dd7a28456	Merge pull request #26 from 1Password/issue-templates Add GitHub issue templates	2021-04-22 18:38:29 +02:00
Joris Coenen	43b06dd7aa	Add GitHub issue templates	2021-04-22 13:38:35 +02:00
Joris Coenen	e8e01d6578	Also push :latest tag	2021-04-21 19:06:13 +02:00
Joris Coenen	b53e017b77	GitHub Action steps for publishing images to DockerHub	2021-04-21 18:41:30 +02:00
Joris Coenen	b2565cebf8	Add GoReleaser configuration for publishing docker images Should build both an amd64 and arm64 image and combine both in a single manifest. Does require some modifications to the GitHub Actions to correctly push to DockerHub. Used this blog post as inspiration: https://carlosbecker.com/posts/multi-platform-docker-images-goreleaser-gh-actions/	2021-04-21 18:18:47 +02:00
Joris Coenen	9459d2e292	Merge pull request #25 from 1Password/readme-update Minor README adjustments	2021-04-21 10:50:48 +02:00
jillianwilson	0409b17ef4	Minor README adjustments	2021-04-20 16:18:59 -03:00
jillianwilson	2e47b76d4c	Github action for building Go binaries for new release	2021-04-20 16:15:12 -03:00
Floris van der Grinten	1cca09df90	Merge pull request #23 from 1Password/actions-for-community-prs Run GitHub Actions tests on community PRs too	2021-04-20 16:38:26 +02:00
Floris van der Grinten	b9cb92eb1b	Run GitHub Actions tests on community PRs too	2021-04-19 21:04:18 +02:00
@@ -1 +1 @@
 v1.0.0
 .0.2