Hi, I set up a connect-server and \"installed\" operator into a GKE based cluster. I can successfully create secrets from items in my vault via terraform, however, there are a few thing that I wish would be implemented.

In this question I would like to focus only on one of those: observability of status of a OnePasswordItem.
\nWhen I query details of a created OnePasswordItem I can see:
\n
\napiVersion: onepassword.com/v1
\nkind: OnePasswordItem
\nmetadata:
\n creationTimestamp: \"2022-03-17T08:41:25Z\"
\n finalizers:
\n - onepassword.com/finalizer.secret
\n generation: 2
\n name: secret-properties
\n namespace: oauth2-develop
\n resourceVersion: \"911495\"
\n uid: 052ef8a6-5da1-4e32-977e-9073872a217a
\nspec:
\n itemPath: <redacted>
\nstatus: {}
\ntype: Opaque
\n
\nMy problem is that status contains nothing. This is an issue, cause I'm using terraform like:
\n
\nresource \"kubernetes_manifest\" \"oauth_secret_properties\" {
\n manifest = {
\n apiVersion = \"onepassword.com/v1\"
\n kind = \"OnePasswordItem\"
\n metadata = {
\n name = \"secret-properties\"
\n namespace = kubernetes_namespace.oauth2.metadata[0].name
\n }
\n type = \"Opaque\"
\n spec = {
\n itemPath = <redacted>
\n }
\n }
\n}
\n
\nand I would like to be able to add a https://registry.terraform.io/providers/hashicorp/kubernetes/2.6.1/docs/resources/manifest#using-wait_for-to-block-create-and-update-calls block in kubernetes_manifest so terraform can figure out when is it safe to move on to the next resource creation (which actually depends on this existing secret).

1Password Version: Not Provided
\nExtension Version: Not Provided
\nOS Version: Not Provided

Hi, I set up a connect-server and \"installed\" operator into a GKE based cluster. I can successfully create secrets from items in my vault via terraform, however, there are a few thing that I wish would be implemented.

In this question I would like to focus only on one of those: observability of status of a OnePasswordItem.
\nWhen I query details of a created OnePasswordItem I can see:
\n
\napiVersion: onepassword.com/v1
\nkind: OnePasswordItem
\nmetadata:
\n creationTimestamp: \"2022-03-17T08:41:25Z\"
\n finalizers:
\n - onepassword.com/finalizer.secret
\n generation: 2
\n name: secret-properties
\n namespace: oauth2-develop
\n resourceVersion: \"911495\"
\n uid: 052ef8a6-5da1-4e32-977e-9073872a217a
\nspec:
\n itemPath: <redacted>
\nstatus: {}
\ntype: Opaque
\n
\nMy problem is that status contains nothing. This is an issue, cause I'm using terraform like:
\n
\nresource \"kubernetes_manifest\" \"oauth_secret_properties\" {
\n manifest = {
\n apiVersion = \"onepassword.com/v1\"
\n kind = \"OnePasswordItem\"
\n metadata = {
\n name = \"secret-properties\"
\n namespace = kubernetes_namespace.oauth2.metadata[0].name
\n }
\n type = \"Opaque\"
\n spec = {
\n itemPath = <redacted>
\n }
\n }
\n}
\n
\nand I would like to be able to add a wait_for block in kubernetes_manifest so terraform can figure out when is it safe to move on to the next resource creation (which actually depends on this existing secret).

1Password Version: Not Provided
\nExtension Version: Not Provided
\nOS Version: Not Provided

I'm trying it out today.

Awesome. I just tagged https://github.com/1Password/onepassword-operator/releases/tag/v1.5.0 of the operator. The Docker images should be available soon.

and it's approved. awesome :)

Indeed it would. Thank you very much!

That's good to hear. When it's released will depend on how quickly we can iron out the API. There is still some discussion on the ready field.

I am currently leaning towards removing that altogether. Is it correct that the following would work for you?


\nresource \"kubernetes_manifest\" \"oauth_secret_properties\" {
\n manifest = {
\n apiVersion = \"onepassword.com/v1\"
\n kind = \"OnePasswordItem\"
\n metadata = {
\n name = \"secret-properties\"
\n namespace = kubernetes_namespace.oauth2.metadata[0].name
\n }
\n type = \"Opaque\"
\n spec = {
\n itemPath = <redacted>
\n }
\n }
\n wait {
\n fields = {
\n \"status.conditions[0].type\" = \"Ready\"
\n \"status.conditions[0].status\" = \"True\"
\n }
\n }
\n}
\n

I tested this locally and it seems to do what you would expect: it waits for the k8s secret to be created.

yes, it looks exactly like what I'm looking for. you rock. what do you think, when will it make into a public release?

Hey!

I just opened a https://github.com/1Password/onepassword-operator/pull/118 on the operator's GitHub repostiory that should address this. If you want to check if that indeed solves your problem (check out the examples), that would be really helpful!

Joris

Hi Joris,

Did you have a change to bring this matter with your team? Can I help in anyway?

Hey!

Thank you for reaching out. I really appreciate you sharing the details of your use-case.

Adding the status field to the resource sounds like a very useful improvement. I will bring it up to my team.

Joris