Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

rommel's avatar
rommel
New Contributor
12 months ago

Secrets injector not working - variable value is the op path

Hi,
I am currently testing secrets injector with connect server by following this documentation. Both have been deployed in the k8s.

I tried deploying this demo app

apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-app
spec:
selector:
matchLabels:
app: demo-app
template:
metadata:
annotations:
operator.1password.io/inject: demo-app
labels:
app: demo-app
spec:
containers:
- name: demo-app
image: busybox
ports:
- containerPort: 5000
command: ["sleep"]
args: ["3600"]
env:
- name: OP_CONNECT_HOST
value: 'http://onepassword-connect.onepassword.svc.cluster.local:8080'
- name: OP_CONNECT_TOKEN
valueFrom:
secretKeyRef:
key: token
name: connect-token
- name: TEST_ONEPASSWORD
value: op://my-vault/test_creds/password

connect logs
```
{"log_message":"(I) GET /v1/vaults","timestamp":"2024-02-22T11:51:56.978455348Z","level":3,"scope":{"request_id":"039a4d07-90ea-4161-a4a8-c9b814588e3d"}}
{"log_message":"(I) GET /v1/vaults completed (200: OK) in 12ms","timestamp":"2024-02-22T11:51:56.990803288Z","level":3,"scope":{"request_id":"039a4d07-90ea-4161-a4a8-c9b814588e3d"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items?filter=title+eq+%22test_creds%22","timestamp":"2024-02-22T11:51:56.992460837Z","level":3,"scope":{"request_id":"154b9a54-351d-4839-a84e-3f406c73f505"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items?filter=title+eq+%22test_creds%22 completed (200: OK) in 10ms","timestamp":"2024-02-22T11:51:57.00252325Z","level":3,"scope":{"request_id":"154b9a54-351d-4839-a84e-3f406c73f505"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items/5dlsknuwntvpokkkevuu475cpi","timestamp":"2024-02-22T11:51:57.003679559Z","level":3,"scope":{"request_id":"c11d761f-0781-4a44-8a5f-f40261fd693f"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items/5dlsknuwntvpokkkevuu475cpi completed (200: OK) in 8ms","timestamp":"2024-02-22T11:51:57.012355276Z","level":3,"scope":{"request_id":"c11d761f-0781-4a44-8a5f-f40261fd693f"}}

```

injector logs
```
I0222 11:51:55.401251 1 webhook.go:180] Checking if secret injection is needed for /v1, Kind=Pod at namespace default
I0222 11:51:55.401426 1 webhook.go:98] Pod at namespace default. Secret injection status: Secret Injection Enabled:true
I0222 11:51:55.401477 1 webhook.go:313] OP_SERVICE_ACCOUNT_TOKEN not provided
I0222 11:51:55.401485 1 webhook.go:345] OP CLI will be used with Connect
I0222 11:51:55.401545 1 webhook.go:287] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/volumeMounts","value":[{"name":"kube-api-access-tkfrs","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"},{"name":"op-bin","readOnly":true,"mountPath":"/op/bin/"}]},{"op":"replace","path":"/spec/containers/0/command","value":["/op/bin/op","run","--","sleep"]},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_NAME","value":"1Password Kubernetes Webhook"}},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_ID","value":"K8W"}},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_BUILDNUMBER","value":"1000101"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"op-bin","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/spec/initContainers","value":[{"name":"copy-op-bin","image":"1password/op:2","command":["sh","-c","cp /usr/local/bin/op /op/bin/"],"resources":{},"volumeMounts":[{"name":"op-bin","mountPath":"/op/bin/"}],"imagePullPolicy":"IfNotPresent"}]},{"op":"add","path":"/metadata/annotations","value":{"operator.1password.io/status":"injected"}}]
I0222 11:51:55.401571 1 webhook.go:481] Ready to write response ...

```

when i check the pod env
```
$ kubectl exec -it demo-app-78d6b574d7-bxcd4 -- /bin/sh
Defaulted container "demo-app" out of: demo-app, copy-op-bin (init)
/ #
/ # env | grep TEST
TEST_ONEPASSWORD=op://my-vault/test_creds/password

```
What could be the issue here?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

No RepliesBe the first to reply