Updated to op v2
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
This commit is contained in:
parent
4f0fb2a170
commit
bb4f2232db
@ -8,9 +8,11 @@ RUN go mod download
|
||||
ADD . .
|
||||
RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-w -s" -o kube-1password-secrets main.go
|
||||
|
||||
FROM 1password/op:2 as OP
|
||||
|
||||
FROM golang:1.14-alpine
|
||||
WORKDIR /app/
|
||||
COPY --from=builder /usr/local/bin/op /usr/local/bin/op
|
||||
COPY --from=op /usr/local/bin/op /usr/local/bin/op
|
||||
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
|
||||
COPY --from=builder /etc/passwd /etc/passwd
|
||||
COPY --from=builder /app/kube-1password-secrets /app/kube-1password-secrets
|
||||
|
@ -3,20 +3,11 @@ package onepassword
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"os/exec"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// Client is the 1Password client
|
||||
type Client struct {
|
||||
Domain string
|
||||
Email string
|
||||
Password string
|
||||
SecretKey string
|
||||
Session string
|
||||
}
|
||||
type Client struct{}
|
||||
|
||||
// Secret contains the credentials from a 1Password secret
|
||||
type Secret struct {
|
||||
@ -28,13 +19,8 @@ type Secret struct {
|
||||
}
|
||||
|
||||
// New authenticates with the provided values and returns a new 1Password client
|
||||
func New(domain string, email string, password string, secretKey string) (*Client, error) {
|
||||
client := &Client{
|
||||
Domain: domain,
|
||||
Email: email,
|
||||
Password: password,
|
||||
SecretKey: secretKey,
|
||||
}
|
||||
func New() (*Client, error) {
|
||||
client := &Client{}
|
||||
if err := client.authenticate(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -42,27 +28,16 @@ func New(domain string, email string, password string, secretKey string) (*Clien
|
||||
}
|
||||
|
||||
func (op *Client) authenticate() error {
|
||||
cmd := exec.Command("op", "signin", op.Domain, op.Email, op.SecretKey, "--output=raw")
|
||||
stdin, err := cmd.StdinPipe()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Cannot attach to stdin: %s", err)
|
||||
}
|
||||
go func() {
|
||||
defer stdin.Close()
|
||||
if _, err := io.WriteString(stdin, fmt.Sprintf("%s\n", op.Password)); err != nil {
|
||||
log.Println("[Error]", err)
|
||||
}
|
||||
}()
|
||||
cmd := exec.Command("op", "user", "get", "--me")
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Cannot signin: %s\n%s", err, output)
|
||||
return fmt.Errorf("Cannot verify auth: %s\n%s", err, output)
|
||||
}
|
||||
op.Session = strings.Trim(string(output), "\n")
|
||||
return nil
|
||||
}
|
||||
|
||||
func (op Client) runCmd(args ...string) ([]byte, error) {
|
||||
args = append(args, fmt.Sprintf("--session=%s", op.Session))
|
||||
args = append(args, "--format=json")
|
||||
cmd := exec.Command("op", args...)
|
||||
res, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
@ -73,7 +48,7 @@ func (op Client) runCmd(args ...string) ([]byte, error) {
|
||||
|
||||
// GetSecret returns the values from the secret stored in 1Password with a UUID matching the secretID
|
||||
func (op *Client) GetSecret(vault, secretID string) (*Secret, error) {
|
||||
res, err := op.runCmd("get", "item", secretID, fmt.Sprintf("--vault=%s", vault))
|
||||
res, err := op.runCmd("item", "get", secretID, "--reveal", fmt.Sprintf("--vault=%s", vault))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -84,30 +59,24 @@ func (op *Client) GetSecret(vault, secretID string) (*Secret, error) {
|
||||
|
||||
secret := &Secret{
|
||||
ID: item.UUID,
|
||||
Title: item.Overview.Title,
|
||||
Title: item.Title,
|
||||
Username: "",
|
||||
Password: "",
|
||||
SecretText: "",
|
||||
}
|
||||
|
||||
if len(item.Details.Fields) > 0 {
|
||||
for _, field := range item.Details.Fields {
|
||||
if len(item.Fields) > 0 {
|
||||
for _, field := range item.Fields {
|
||||
switch field.Name {
|
||||
case "username":
|
||||
secret.Username = field.Value
|
||||
case "password":
|
||||
secret.Password = field.Value
|
||||
case "notesPlain":
|
||||
secret.SecretText = field.Value
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if item.Details.Password != nil && *item.Details.Password != "" {
|
||||
secret.Password = *item.Details.Password
|
||||
}
|
||||
|
||||
if item.Details.Notes != "" {
|
||||
secret.SecretText = item.Details.Notes
|
||||
}
|
||||
|
||||
return secret, nil
|
||||
}
|
||||
|
@ -5,23 +5,13 @@ import (
|
||||
)
|
||||
|
||||
type field struct {
|
||||
Name string `json:"name"`
|
||||
Name string `json:"label"`
|
||||
Value string `json:"value"`
|
||||
}
|
||||
|
||||
type details struct {
|
||||
Fields []field `json:"fields"`
|
||||
Notes string `json:"notesPlain"`
|
||||
Password *string `json:"password;omitempty"`
|
||||
}
|
||||
|
||||
type overview struct {
|
||||
Title string `json:"title"`
|
||||
}
|
||||
|
||||
type response struct {
|
||||
UUID string `json:"uuid"`
|
||||
Updated time.Time `json:"createdAt"`
|
||||
Details details `json:"details"`
|
||||
Overview overview `json:"overview"`
|
||||
UUID string `json:"id"`
|
||||
Updated time.Time `json:"created_at"`
|
||||
Fields []field `json:"fields"`
|
||||
Title string `json:"title"`
|
||||
}
|
||||
|
19
main.go
19
main.go
@ -148,24 +148,11 @@ func buildOpClient() (*onepassword.Client, error) {
|
||||
panic(err.Error())
|
||||
}
|
||||
|
||||
domain, ok := os.LookupEnv("OP_DOMAIN")
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("OP_DOMAIN not specified")
|
||||
}
|
||||
email, ok := os.LookupEnv("OP_EMAIL")
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("OP_EMAIL not specified")
|
||||
}
|
||||
password, ok := os.LookupEnv("OP_PASSWORD")
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("OP_PASSWORD not specified")
|
||||
}
|
||||
secretKey, ok := os.LookupEnv("OP_SECRET_KEY")
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("OP_SECRET_KEY not specified")
|
||||
if _, ok := os.LookupEnv("OP_SERVICE_ACCOUNT_TOKEN"); !ok {
|
||||
return nil, fmt.Errorf("OP_SERVICE_ACCOUNT_TOKEN not specified")
|
||||
}
|
||||
|
||||
return onepassword.New(domain, email, password, secretKey)
|
||||
return onepassword.New()
|
||||
}
|
||||
|
||||
func parseAnnotations(annotations map[string]string) map[string]string {
|
||||
|
@ -16,26 +16,11 @@ spec:
|
||||
- image: kube-1password-secrets
|
||||
name: kube-1password-secrets
|
||||
env:
|
||||
- name: OP_DOMAIN
|
||||
- name: OP_SERVICE_ACCOUNT_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: kube-1password-secrets
|
||||
key: OP_DOMAIN
|
||||
- name: OP_EMAIL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: kube-1password-secrets
|
||||
key: OP_EMAIL
|
||||
- name: OP_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: kube-1password-secrets
|
||||
key: OP_PASSWORD
|
||||
- name: OP_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: kube-1password-secrets
|
||||
key: OP_SECRET_KEY
|
||||
key: OP_SERVICE_ACCOUNT_TOKEN
|
||||
volumeMounts:
|
||||
- mountPath: "/root/.op"
|
||||
name: op
|
||||
|
@ -1,4 +1 @@
|
||||
OP_DOMAIN=
|
||||
OP_EMAIL=
|
||||
OP_PASSWORD=
|
||||
OP_SECRET_KEY=
|
||||
OP_SERVICE_ACCOUNT_TOKEN=
|
||||
|
Loading…
Reference in New Issue
Block a user