Skip to content

1Password

Overview

1Password is a comprehensive password management service, including secret sharing, policy controls, audit logs and more. It also has great Kubernetes integrations through a couple of different methods, service accounts and what they call a Connect server. Service accounts are just API tokens, and are subject to restrictions on the amount of calls and rely on direct connectivity to the 1Password cloud service.

A Connect server on the other hand is like a caching server between you and the 1Password cloud, sitting on your infrastructure with low latency and unlimited requests. And when we're using a Connect server, we can use a Kubernetes operator to manage and load secrets into workloads, even restarting deployments when secrets change.

Installation

Create a Connect server

Before we install the Connect server and operator, we'll need to create some credentials in 1Password. We can do this via the op CLI tool: 

op connect server create connect-server-lab

This will return one of the two things we'll need for the Helm chart, a credentials file output to your current working directory.

Set up a Connect server.
UUID: PLCCUGASCFED5OKCHPH2UCIHWE
Credentials file: /home/me/1password-credentials.json

Create an authentication token

op connect token connect-server-lab-auth-token --server connect-server-lab --vault Work,r

Make sure you add any vaults you want to access, along with ,r for read-only or ,w for write access.

In production use, we would probably set the token to expire, via the --expires-in option as well.

The output will look like:

eyJhbGciOiJFUzI1NiIsImtpZCI6ImZpbHlrZ3M3cnN5em5vcGFyeWVmaHd1dHZtIiwidHlwIjoiSldUIn0.eyIxcGFzc3dvcmQuY29tL2F1dWlkIjoiTDc0N1VTU0hGWkZXRENUVUM1VjQ2QTVTT1EiLCIxcGFzc3dvcmQuY29tL2Z0cyI6WyJ2YXVsdGFjY2VzcyJdLCIxcGFzc3dvcmQuY29tL3Rva2VuIjoiZW5SNlFpdEhJTExpbS1CdDJoRWpPa1A2UWxRd0NvbXEiLCJhdWQiOlsiY29tLjFwYXNzd29yZC5jb25uZWN0Il0sImlhdCI6MTcxMDg3ODYwOSwiaXNzIjoiY29tLjFwYXNzd29yZC5iNSIsImp0aSI6ImxqcGFxam9zaTR1dzNoaGpwaW5hdWZjYnppIiwic3ViIjoiUExDQ1VHQVNDRkVENU9LQ0hQSDJVQ0lIV0UifQ.FRs_JPai2v7s2UKajB9grv2ErRCRWXUGpOV4Y7tkDbtWF4eYGxIGzxLmbWTCmLMOIiRa_830UHNkR3y1jQ1ZeQ

This is the second variable we'll need to install everything via Helm.

Grant access to vaults

Out of the box your new Connect server has no access to any vaults, so we'll need to add some explicit access rules:

op connect vault grant --server connect-server-lab --vault Work

Would return something like:

Connect server connect-server-lab (PLCCUGASCFED5OKCHPH2UCIHWE) has been successfully granted access to vault Work (p4epn2fxsje77ecdrtjwrgyoea).

Repeat for as many vault as you want it to have access to, noting you cannot give a Connect server access the Personal, or Private vaults

Install the Connect server and Operator

Now that we have a credentials file and an authentication token we can proceed to install via Helm:

helm repo add 1password https://1password.github.io/connect-helm-charts/
helm repo update
helm install connect 1password/connect --set-file connect.credentials=1password-credentials.json --set operator.create=true --set operator.token.value=OP_CONNECT_TOKEN

Make sure you substitute the credentials file path and OP_CONNECT_TOKEN with the values from the previous steps.

Usage examples

Create a Kubernetes secret from a 1Password item

You can create a Kubernetes secret object from a 1Password vault item with a manifest like so:

cat <<EOF | kubectl apply -f -
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: from-1p
spec:
  itemPath: "vaults/Work/items/site"

Will yeild the following Secret object, with values depending on the contents of your 1P entry:

apiVersion: v1
data:
  password: cGFzcw==
  username: dXNlcg==
kind: Secret
metadata:
  annotations:
    operator.1password.io/item-path: vaults/gkm6exq7iqhese2rb7tvjuhq4a/items/dhtc7smuyvbbxontl26aypvdha
    operator.1password.io/item-version: "2"
  creationTimestamp: "2024-03-19T21:36:36Z"
  name: from-1p
  ownerReferences:
  - apiVersion: onepassword.com/v1
    kind: OnePasswordItem
    name: from-1p
    uid: a23a532e-f16b-4c93-895d-db889f2082f1
  resourceVersion: "49152571"
  uid: 8767573f-67d8-40e3-bf64-3b5b923aa9db
type: Opaque

Annotate a deployment to use 1Password

Adding the annotations to a deployment spec will create the secret directly from that deployment like so;

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-example
  annotations:
    operator.1password.io/item-path: "vaults/VAULT/items/ITEM"
    operator.1password.io/item-name: "SECRET_NAME"

Next steps

Check out the official documentation for more usage tips and how-tos.