Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
rommel
12 months agoNew Contributor
Secrets injector not working - variable value is the op path
Hi,
I am currently testing secrets injector with connect server by following this documentation. Both have been deployed in the k8s.
I tried deploying this demo app
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-app
spec:
selector:
matchLabels:
app: demo-app
template:
metadata:
annotations:
operator.1password.io/inject: demo-app
labels:
app: demo-app
spec:
containers:
- name: demo-app
image: busybox
ports:
- containerPort: 5000
command: ["sleep"]
args: ["3600"]
env:
- name: OP_CONNECT_HOST
value: 'http://onepassword-connect.onepassword.svc.cluster.local:8080'
- name: OP_CONNECT_TOKEN
valueFrom:
secretKeyRef:
key: token
name: connect-token
- name: TEST_ONEPASSWORD
value: op://my-vault/test_creds/password
connect logs
```
{"log_message":"(I) GET /v1/vaults","timestamp":"2024-02-22T11:51:56.978455348Z","level":3,"scope":{"request_id":"039a4d07-90ea-4161-a4a8-c9b814588e3d"}}
{"log_message":"(I) GET /v1/vaults completed (200: OK) in 12ms","timestamp":"2024-02-22T11:51:56.990803288Z","level":3,"scope":{"request_id":"039a4d07-90ea-4161-a4a8-c9b814588e3d"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items?filter=title+eq+%22test_creds%22","timestamp":"2024-02-22T11:51:56.992460837Z","level":3,"scope":{"request_id":"154b9a54-351d-4839-a84e-3f406c73f505"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items?filter=title+eq+%22test_creds%22 completed (200: OK) in 10ms","timestamp":"2024-02-22T11:51:57.00252325Z","level":3,"scope":{"request_id":"154b9a54-351d-4839-a84e-3f406c73f505"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items/5dlsknuwntvpokkkevuu475cpi","timestamp":"2024-02-22T11:51:57.003679559Z","level":3,"scope":{"request_id":"c11d761f-0781-4a44-8a5f-f40261fd693f"}}
{"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items/5dlsknuwntvpokkkevuu475cpi completed (200: OK) in 8ms","timestamp":"2024-02-22T11:51:57.012355276Z","level":3,"scope":{"request_id":"c11d761f-0781-4a44-8a5f-f40261fd693f"}}
```
injector logs
```
I0222 11:51:55.401251 1 webhook.go:180] Checking if secret injection is needed for /v1, Kind=Pod at namespace default
I0222 11:51:55.401426 1 webhook.go:98] Pod at namespace default. Secret injection status: Secret Injection Enabled:true
I0222 11:51:55.401477 1 webhook.go:313] OP_SERVICE_ACCOUNT_TOKEN not provided
I0222 11:51:55.401485 1 webhook.go:345] OP CLI will be used with Connect
I0222 11:51:55.401545 1 webhook.go:287] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/volumeMounts","value":[{"name":"kube-api-access-tkfrs","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"},{"name":"op-bin","readOnly":true,"mountPath":"/op/bin/"}]},{"op":"replace","path":"/spec/containers/0/command","value":["/op/bin/op","run","--","sleep"]},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_NAME","value":"1Password Kubernetes Webhook"}},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_ID","value":"K8W"}},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_BUILDNUMBER","value":"1000101"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"op-bin","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/spec/initContainers","value":[{"name":"copy-op-bin","image":"1password/op:2","command":["sh","-c","cp /usr/local/bin/op /op/bin/"],"resources":{},"volumeMounts":[{"name":"op-bin","mountPath":"/op/bin/"}],"imagePullPolicy":"IfNotPresent"}]},{"op":"add","path":"/metadata/annotations","value":{"operator.1password.io/status":"injected"}}]
I0222 11:51:55.401571 1 webhook.go:481] Ready to write response ...
```
when i check the pod env
```
$ kubectl exec -it demo-app-78d6b574d7-bxcd4 -- /bin/sh
Defaulted container "demo-app" out of: demo-app, copy-op-bin (init)
/ #
/ # env | grep TEST
TEST_ONEPASSWORD=op://my-vault/test_creds/password
```
What could be the issue here?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
No RepliesBe the first to reply