Support for stringData in Opaque secrets

[rooso]

Summary

For some usecases I'll need a Kubernetes Sercret from type Opaque with data in stringData and not in data. See also https://kubernetes.io/docs/concepts/configuration/secret/#restriction-names-data. That is a native Kubernetes use case which would be great, to have it in combination with 1Password Operator.

Use cases

Allow to store secret values that are not base64 encoded in stringData for applications that need unencrypted values in a Kubernetes Secret.

Proposed solution

Adding option to specify if Opaque secret will store the values in data or stringData.

Following OnePasswordItem ...

apiVersion: onepassword.com/v1
kind: OnePasswordItem
type: Opaque/stringData
metadata:
  name: private-repo-creds
spec:
  itemPath: vaults/mysecretvault/items/private-repo-creds

... should create a Kubernetes Secret like this:

apiVersion: v1
kind: Secret
metadata:
	name: private-repo-creds
	namespace: demo
stringData:
	type: git
	url: git@git.demo.com:kubernetes/application
	sshPrivateKey: |
		-----BEGIN PRIVATE KEY-----
		... wait for 1Password support for stringData in secrets
		-----END PRIVATE KEY-----

Is there a workaround to accomplish this today?

If the application supports it, you can decode the base64 encoded value before use. In my case, that's not possible.

[rooso]

Discovered a new kubernetes application deployment that needs secrets with stringData. ArgoCD and Pinniped are two of them.

[richardnabu]

+1 SeldonCore needs this - Seldon docs here

[zach-broadway-nauto]

+1 I would say that the ArgoCD use case is a VERY valid reason to plan this work. Many companies are adopting ArgoCD for GitOps workflows.

Please see the github ssh secret example from the ArgoCD Docs

[brizzbuzz]

Tailscale operator also needs this 🙏

[fdaligand]

Hi there,

I just deploy the following OnePasswordItem for my argocd deployement and it work well.

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: cluster-managment-https-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
spec:
  itemPath: "vaults/${env}/items/cluster-managment-https-repo"

and the secret generated is as follow:

 Name:         cluster-managment-https-repo                                                                                                                                                                      │
│ Namespace:    argocd                                                                                                                                                                                            │
│ Labels:       argocd.argoproj.io/secret-type=repository                                                                                                                                                         │
│ Annotations:  operator.1password.io/item-path: vaults/***/items/***                                                                                               │
│               operator.1password.io/item-version: 1                                                                                                                                                             │
│                                                                                                                                                                                                                 │
│ Type:  Opaque                                                                                                                                                                                                   │
│                                                                                                                                                                                                                 │
│ Data                                                                                                                                                                                                            │
│ ====                                                                                                                                                                                                            │
│ username:  25 bytes                                                                                                                                                                                             │
│ password:  12 bytes                                                                                                                                                                                             │
│ type:      3 bytes                                                                                                                                                                                              │
│ url:       51 bytes    

Argocd doesn't care if your secret is of type data or stringdata.
I hope it will help.

[matthijsvdr]

I just spend way to much time trying to find out why cert-manager gave errors contacting the cloudflare api. It is because the 1password secret was not (and cant) be defined as stringData.

Does not work

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: cloudflare-api-token
  namespace: cert-manager
spec:
  itemPath: "vaults/my-vault/items/cloudflare-api"

Works

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token
  namespace: cert-manager
type: Opaque
stringData:
  api-token: secret-token-here

Now I just have to make sure to not commit the secret 🫠

Would be great for this to be added to 1password somehow