generate dockerconfigjson from 1password entry

[martinscholz-mediatis]

Summary

Support for different Secret types

Use cases

We'd like to be able to set the dockerconfigjson in one password as a secret, so it would be awesome that one could enter the parameters like:

• docker-server,
• docker-username,
• docker-password and
• docker-email

in the secret and this will generate an entry for the secrets in the form of:

apiVersion: v1
kind: Secret
metadata:
  ...
  name: regcred
  ...
data:
  .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
type: kubernetes.io/dockerconfigjson

with the .data..dockerconfigjson in the form of:

{"auths":{"docker-server-value":{"username":"docker-username-value","password":"docker-password-value","email":"docker-email-value","auth":"base64encoded(docker-username-value:docker-password-value)"}}}

Proposed solution

it would be awesome if one could add a special flag to an secret like an text entry that would handle the type setting, like:
.dockerconfigjson as name and kubernetes.io/dockerconfigjson as value or type and the kubernetes.io/dockerconfigjson as value and then let the operator generate the secret out of the box from this. that way also key-rollovers for the config would be pretty straightforward.

Is there a workaround to accomplish this today?

the only workaround to do so is the following to directly interact with the kubernetes cluster and set the secret by hand in the form of:

kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

this will generate a regard secret of the form above, with the suitable values generated.

References & Prior Work

The official documentation about it is here:
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

[kquinsland]

Would be a +1 for this as well.
You can kubectl create secret docker-registry ... --dry-run=client and then store the data.dockerconfigjson in a "regular" 1password item value but then how do you pass it off to spec.template.spec.imagePullSecrets? You can't, as far as I can tell. Whatever value imagePullSecrets gets needs to point to a secret with type: kubernetes.io/dockerconfigjson set and that doesn't seem to be possible currently w/ the 1password operator.

[kquinsland]

Got burned by this again. In this particular instance, I need to be able to set type: kubernetes.io/basic-auth and not type: kubernetes.io/dockerconfigjson.

Can somebody from the 1pw team chime in on weather or not there should be an issue per kind or a new issue that reads along the lines of "implement kind: .... support for secrets created through the 1pw operator"

[hgranillo]

@kquinsland I recently faced the same problem but after digging thought some code I found out that you can specify the type of secret by setting type: kubernetes.io/basic-auth in the OnePasswordItem

For example:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: horacio-test
type: kubernetes.io/basic-auth
spec:
  itemPath: "vaults/blah-blah/items/horacio-test"

❯ kubectl get secret
NAME                  TYPE                                  DATA   AGE
horacio-test          kubernetes.io/basic-auth              2      74m

kubectl get secret -o yaml horacio-test
apiVersion: v1
data:
  password: YmxhaGJsYWhibGFoCg==
  username: cGVwaXRv
kind: Secret
metadata:
...
type: kubernetes.io/basic-auth

Hope this helps.

[kquinsland]

@kquinsland I recently faced the same problem but after digging thought some code I found out that you can specify the type of secret by setting type: kubernetes.io/basic-auth in the OnePasswordItem

Yeah, it looks like that's an option: https://github.com/1Password/onepassword-operator/blob/f6b267726d0bfa9c746ec75ed19f0c916367e41c/internal/controller/onepassworditem_controller.go#L164C1-L164C29

[kquinsland]

Thanks, again, to the tip from @hgranillo. I was able to get .dockerconfigjson secrets working.

First, create the secret, locally:

❯ kubectl create secret docker-registry ghcr-login-secret --docker-server=https://ghcr.io --docker-username=<...> --docker-password=<...> --dry-run=client --output=yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: e<...>Q==
# <...>

Then decode the b64 to get the actual json

❯ echo "e<...>Q==" | base64 -d
{"a<...>}

Then create a new entry in your 1password vault, create a new field with the name .dockerconfigjson and paste in the json you decoded above.

Create the usual kind: OnePasswordItem but with type: kubernetes.io/dockerconfigjson and apply. Within a few seconds, you should have a new secret that has the correct type and the correct field.

Few things to note from trial/error:

When type: kubernetes.io/dockerconfigjson is set, the operator expects the vault item field to be named .dockerconfigjson (including the leading dot).

You must decode the b64 into regular json and store that in 1password, not the b64 string.
Failure to do so will result in an error like:

Invalid value: \"<secret contents redacted>\": invalid character 'e' looking for beginning of value"