onepassword PushSecret functionality

[acelinkio]

Describe the bug
onepassword provider does not provide PushSecret functionality

To Reproduce

• install external-secrets 0.9.1
• create ClusterSecretStore to 1password connector, example below

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: 1password
spec:
  provider:
    onepassword:
      connectHost: http://onepassword-connect.1passwordconnect.svc.cluster.local:8080
      vaults:
        homelab: 1
      auth:
        secretRef:
          connectTokenSecretRef:
            name: 1passwordconnect
            key: token
            namespace: external-secrets

• create a PushSecret

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: letsencrypt-staging
  namespace: certificates
spec:
  refreshInterval: 10s
  secretStoreRefs:
    - name: 1password
      kind: ClusterSecretStore
  selector:
    secret:
      name: wildcard-staging
  data:
    - match:
        secretKey: tls.crt
        remoteRef:
          remoteKey: tls.crt

• returns

status:
  conditions:
    - lastTransitionTime: '2023-08-01T08:46:26Z'
      message: >-
        set secret failed: could not write remote ref tls.crt to target
        secretstore 1password: not implemented
      reason: Errored
      status: 'False'
      type: Ready

Expected behavior
Push a secret to 1password.

Screenshots

Additional context
Error message confused me at first until searching through this project.
https://github.com/external-secrets/external-secrets/blob/v0.9.1/pkg/provider/onepassword/onepassword.go#L161

Looks like the PushSecrets feature, #1315, was introduced after onepassword original integration was added, #36.

[acelinkio]

Hey @snarlysodboxer shows you as the maintainer for onepassword plugin.

Do you see any issues with 1password or 1passwordconnect adding PushSecret functionality? This appears to require both PushSecret and DeleteSecret functions work.

[snarlysodboxer]

I think this should be doable. However unfortunately the go client library for the 1Password Connect Server doesn't currently support uploading files. But we should be able to do it by implementing the HTTP request to the Connect Server ourselves. We'll have to try it.

I talk about uploading files because unless PushSecret (new to me) supports custom attributes that could choose the type of 1Password Item to create for a particular PushSecret, then we will probably need to choose the Document type for all PushSecrets, even if they're not multi-line secret values. In other words, while the 1Password provider supports reading from Password type or Document type items, I think it could only support pushing Document type items (but I don't see any problems with that.)

[acelinkio]

I don't think it is worth the effort to specify different field types. I could see a case if you wanted to have a single 1password secret with lots of documents inside, but do not think most backends support that approach. AWS and Kubernetes definitely do not. Kubernetes Secrets/ConfigMaps can only hold up to ~1mb. AWS Secrets Manager only supports up to 10kb of contents for an individual secret.

Lets aim external-secrets PushSecret to create 1password secret and only use password category for keys. I could not find any 1password documentation on size limits for an entire secret or individual items, but I was able to put two 500kb password items into a single 1password secret (third 500kb entry would not save). That is more than enough and would greatly simplify implementation.

References:

• https://aws.amazon.com/about-aws/whats-new/2019/10/aws-secrets-manager-supports-increased-secret-size-api-request-rate/
• Size limit for ConfigMap kubernetes/kubernetes#19781
• https://developer.1password.com/docs/connect/connect-api-reference#add-an-item
• https://developer.1password.com/docs/connect/connect-api-reference/#get-vaults-vaultuuid-items-itemuuid-files-query-parameters

[snarlysodboxer]

@acelinkio Thanks for the helpful research. There is actually a different reason I suggested using the Document type for all pushed values, and that is that multi-line values, such as TLS certificates, don't work well in Password type Items, particularly in the APP/GUI. You would at least be unable to use the APP to edit a multi-line value that was created as a Password type. I believe I tried a while back to use the API to create a multi-line Password type, and I don't remember the specifics other than the lack of support for it in the 1Password GUI was enough for me not to continue to pursue that approach.

The good thing about Document type items is that they can also contain single-line values, whereas Password type items cannot contain multi-line values, or at least not in officially supported way.

And you can have many "files" or "entries" if you will in a Document type item.

[bthuilot]

@acelinkio i would be happy to take this up if you wanted to assign this issue to me

[acelinkio]

Hey @bthuilot ,

Snarly/I are not members of the project and unable to assign issues.

Please do not let that stop you from getting started. Start a pull request and reference this ticket!

[bthuilot]

Just opened #2646 to address this,
feel free to let me know if some of the functionality is not what you had in mind!

[acelinkio]

Added in v0.9.12