1password as the password manager for the k8s secrets

I am writing this post as a quick tutorial on how to implement 1Password as main place to store secrets and sync them with the secrets in the k8s.

For this I will be using:

• minikube - for local kubernetes cluster
• 1Password
• Docker - for hosting the connect server

First, setting up the 1password connect server. 1Password connect server is used for accessing and syncing 1Password secrets.

1Password connect server is main setup from the 1password through the browser. When we finish with creating it we will have 1password-credentials.json and access token.

Documentation of 1Password has step by step guid how to accomplish it and you can read more here link

Now when we have acquired 1password-credentials.json and access token we can start docker container that will host our 1password connect server.

Here is example docker-compose.yaml file.

version: "3.4"

services:
  op-connect-api:
    image: 1password/connect-api:latest
    ports:
      - "8080:8080"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "data:/home/opuser/.op/data"
  op-connect-sync:
    image: 1password/connect-sync:latest
    ports:
      - "8081:8080"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "data:/home/opuser/.op/data"

volumes:
  data:

Next step is to setup 1password operator in kubernetes. Let’s install it with helm and this command:

helm install connect 1password/connect --set-file connect.credentials=1password-credentials.json --set operator.create=true --set operator.1password.io/auto-restart=true --set operator.token.value=<access token>

if the command is successful we should see this two pods up and running:

onepassword-connect-db6fd9b77-5rk2f             2/2     Running
onepassword-connect-operator-7dbf97c45c-xx97z   1/1     Running

By having this running we have a 1password connector which connects to the 1password connect server we have created with docker and the 1password operator which will take care of k8s secrets.

In order for 1password operator to know which server it needs to look at we will apply this configuration to our k8s cluster:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: <name of the k8s secret>
spec:
  itemPath: "vaults/<vault>/items/<item>"

When this configuration is applied we will see our secret created in the k8s when we use command kubectl get secrets.

Now mapping this secret to a deployment is same as any other k8s secret, which means we need to use

...
env:
 - name: MYSECRET
   valueFrom:
     secretKeyRef:
       name: <name of the k8s secret>
       key: password
...