Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Injector overwrites pod MountVolumes #22

Closed
AG-Dayton opened this issue Mar 14, 2023 · 1 comment · Fixed by #24
Closed

Injector overwrites pod MountVolumes #22

AG-Dayton opened this issue Mar 14, 2023 · 1 comment · Fixed by #24
Labels
bug Something isn't working

Comments

@AG-Dayton
Copy link

AG-Dayton commented Mar 14, 2023

Your environment

Secret Injector Version: v1.0.0

1Password CLI Version: 2

Connect Server Version: 1.5.7

Kubernetes Version: 1.26

What happened?

When enabling the injector on a pod, the process writes over the existing volumeMounts stipulated in the deployment, and replaces them with /op/bin

What did you expect to happen?

Desired behavior is to append /op/bin to the list of volumeMounts as opposed to replacing them.

Steps to reproduce

Deploy Connect and functioning Injector


Step 1: Create a new namespace to test in using kubectl: kubectl create namespace <namespace>.

Step 2: Create a K8s secret from your 1Password connect token:

kubectl create secret generic onepassword-token --namespace <namespace> --from-literal=token=<your-connect-token>


Step 3: Deploy a Connect server: helm install connect 1password/connect --set connect.ingress.enabled=True --set connect.serviceType=LoadBalancer --set-file connect.credentials=/path/to/credentials.json --namespace <namespace>

Step 4: Deploy injector: helm install --generate-name 1password/secrets-injector --namespace <namespace>

Step 5: Label the namespace: kubectl label namespace <namespace> secrets-injection=enabled

Step 6: Deploy a test pod by saving the below config to a .yaml file and applying it with kubectl apply -f /path/to/file.yaml --namespace <namespace>.

Note that you will need to set your own valid secret references.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-example
spec:
  selector:
    matchLabels:
      app: app-example
  template:
    metadata:
      annotations:
        operator.1password.io/inject: "app-example1"
      labels:
        app: app-example
    spec:
      containers:
        - name: app-example1
          image: debian
          volumeMounts:
          - name: redis
            mountPath: /etc/redis 
          command: ["printenv"]
          args: ["DB_USERNAME", "DB_PASSWORD"]
          env:
          - name: OP_CONNECT_HOST
            value: http://onepassword-connect:8080
          - name: OP_CONNECT_TOKEN
            valueFrom:
              secretKeyRef:
                name: onepassword-token
                key: token
          - name: DB_USERNAME
            value: your-secret-reference
          - name: DB_PASSWORD
            value: another-secret-reference
      volumes:
        - name: redis
          emptyDir: {}


Step 7: Check the app-example pod logs to see if secrets were subbed in - they should say <Concealed by 1Password>: kubectl logs app-example-podname --namespace <namespace>

If the secrets were subbed in successfully, then verify the contents of the Mounts section of the pod: kubectl describe pod <pod-name> --namespace <namespace>.

You should note that the spec'd redis volume has been dropped and replaced with /op/bin, which is the bug behavior.

@AG-Dayton AG-Dayton added the bug Something isn't working label Mar 14, 2023
@volodymyrZotov
Copy link
Contributor

Thank you for raising this @AG-Dayton . We are going to take a look and see what are the workarounds to implement this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants