{"id":18454350,"url":"https://github.com/1password/kubernetes-secrets-injector","last_synced_at":"2025-09-04T05:49:11.389Z","repository":{"id":47393489,"uuid":"481686229","full_name":"1Password/kubernetes-secrets-injector","owner":"1Password","description":null,"archived":false,"fork":false,"pushed_at":"2024-12-12T17:27:29.000Z","size":7311,"stargazers_count":60,"open_issues_count":12,"forks_count":9,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-05-09T00:03:39.946Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/1Password.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-04-14T17:11:23.000Z","updated_at":"2025-04-04T02:26:56.000Z","dependencies_parsed_at":"2023-07-13T04:16:34.694Z","dependency_job_id":"d0ef8418-a129-494a-974e-47e9ba1f462e","html_url":"https://github.com/1Password/kubernetes-secrets-injector","commit_stats":null,"previous_names":["1password/kubernetes-secret-injector"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Fkubernetes-secrets-injector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Fkubernetes-secrets-injector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Fkubernetes-secrets-injector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Fkubernetes-secrets-injector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/1Password","download_url":"https://codeload.github.com/1Password/kubernetes-secrets-injector/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253166514,"owners_count":21864475,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T08:03:54.047Z","updated_at":"2025-05-09T00:03:55.454Z","avatar_url":"https://github.com/1Password.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 1Password Secrets Injector for Kubernetes\n\nThe 1Password Secrets Injector implements a mutating webhook to inject 1Password secrets as environment variables into a Kubernetes pod or deployment. Unlike the [1Password Kubernetes Operator](https://github.com/1Password/onepassword-operator), the Secrets Injector doesn't create a Kubernetes Secret when assigning secrets to your resource.\n\nThe 1Password Secrets Injector for Kubernetes can use [1Password Connect](https://developer.1password.com/docs/connect) or [1Password Service Accounts](https://developer.1password.com/docs/service-accounts) to retrieve items.\n\nRead more on the [1Password Developer Portal](https://developer.1password.com/connect/k8s-injector).\n\n- [Usage](#usage)\n- [Setup and deployment](#setup-and-deployment)\n- [Use with 1Password Connect](#use-with-1password-connect)\n- [Use with 1Password Service Accounts](#use-with-1password-service-accounts)\n- [Troubleshooting](#troubleshooting)\n- [Security](#security)\n\n## Usage\n\n```yaml\n# client-deployment.yaml - The client deployment/pod where you want to inject secrets\n\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: app-example\nspec:\n selector:\n matchLabels:\n app: app-example\n template:\n metadata:\n annotations:\n operator.1password.io/inject: \"app-example1\"\n labels:\n app: app-example\n spec:\n containers:\n - name: app-example1\n image: my-image\n ports:\n - containerPort: 5000\n command: [\"npm\"]\n args: [\"start\"]\n # A 1Password Connect server will inject secrets into this application.\n env:\n - name: OP_CONNECT_HOST\n value: http://onepassword-connect:8080\n - name: OP_CONNECT_TOKEN\n valueFrom:\n secretKeyRef:\n name: connect-token\n key: token\n - name: DB_USERNAME\n value: op://my-vault/my-item/sql/username\n - name: DB_PASSWORD\n value: op://my-vault/my-item/sql/password\n\n - name: my-app # my-app isn't listed in the inject annotation above, so secrets won't be injected into this container.\n image: my-image\n ports:\n - containerPort: 5000\n command: [\"npm\"]\n args: [\"start\"]\n env:\n - name: DB_USERNAME\n value: op://my-vault/my-item/sql/username\n - name: DB_PASSWORD\n value: op://my-vault/my-item/sql/password\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eUsage with 1Password Service Accounts\u003c/summary\u003e\n\n```yaml\n# client-deployment.yaml - The client deployment/pod where you want to inject secrets\n\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: app-example\nspec:\n selector:\n matchLabels:\n app: app-example\n template:\n metadata:\n annotations:\n operator.1password.io/inject: \"app-example1\"\n operator.1password.io/version: \"2-beta\"\n labels:\n app: app-example\n spec:\n containers:\n - name: app-example1\n image: my-image\n ports:\n - containerPort: 5000\n command: [\"npm\"]\n args: [\"start\"]\n # A 1Password Service Account will inject secrets into this application.\n env:\n - name: OP_SERVICE_ACCOUNT_TOKEN\n valueFrom:\n secretKeyRef:\n name: op-service-account\n key: token\n - name: DB_USERNAME\n value: op://my-vault/my-item/sql/username\n - name: DB_PASSWORD\n value: op://my-vault/my-item/sql/password\n\n - name: my-app # my-app isn't listed in the inject annotation above, so secrets won't be injected into this container.\n image: my-image\n ports:\n - containerPort: 5000\n command: [\"npm\"]\n args: [\"start\"]\n env:\n - name: DB_USERNAME\n value: op://my-vault/my-item/sql/username\n - name: DB_PASSWORD\n value: op://my-vault/my-item/sql/password\n```\n\n\u003c/details\u003e\n\nTo inject secrets, the Pod you're looking to inject into must have a `command` value defined in its [Deployment or Pod spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#container-v1-core). The 1Password Secrets Injector works by mutating the this value on initilization, and as such a command is needed to be mutated. If the deployments you're using aren't designed to have `command` specified in the deployment, then the 1Password Kubernetes Operator may be a better fit for your use case.\n\n**Note:** Injected secrets are available *only* in the current pod's session. In other words, the secrets will only be accessible for the command listed in the container specification. To access it in any other session, for example using `kubectl exec`, it's necessary to prepend `op run --` to the command.\n\n\nIn the example above the `app-example1` container will have injected the `DB_USERNAME` and `DB_PASSWORD` values in the session executed by the command `npm start`.\n\nAnother alternative to have the secrets available in all container's sessions is by using the [1Password Kubernetes Operator](https://github.com/1password/onepassword-operator).\n\n## Setup and Deployment\n\n### Prerequisites\n\n- [docker installed](https://docs.docker.com/get-docker/)\n- [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)\n\nIf you want to use 1Password Connect:\n\n- [Set up a Secrets Automation workflow](https://developer.1password.com/docs/connect/get-started#step-1-set-up-a-secrets-automation-workflow).\n- [Deploy 1Password Connect](https://developer.1password.com/docs/connect/get-started#step-2-deploy-1password-connect-server) in your Kubernetes infrastructure.\n\nThen, follow instructions to [use the Kubernetes Injector](#use-with-1password-connect).\n\nIf you want to use 1Password Service Accounts:\n\n- [Create a service account.](https://developer.1password.com//docs/service-accounts/)\n\nThen, follow instructions to [use the Kubernetes Injector with a service account](#use-with-1password-service-accounts).\n\n## Use with 1Password Connect\n\n### Step 1: Create a Kubernetes secret containing `OP_CONNECT_TOKEN`\n\n```shell\nkubectl create secret generic connect-token --from-literal=token=YOUR_OP_CONNECT_TOKEN\n```\n\n### Step 2: Add the `secrets-injection=enabled` label to the namespace\n\n```shell\nkubectl label namespace default secrets-injection=enabled\n```\n\n### Step 3: Deploy the injector\n\n```shell\nmake deploy\n```\n\n**NOTE:** The injector creates the TLS certificate required for the webhook to work on the fly when deploying the injector ([`deployment.yaml`](/deploy/deployment.yaml)). When the injector is removed from the cluster, it will delete the certificate.\n\n### Step 4: Annotate your client pod or deployment with `inject` annotation\n\nAnnotate your client pod or deployment spec with `operator.1password.io/inject`. It expects a comma separated list of the names of the containers that will be mutated and have secrets injected.\n\n```yaml\n# client-deployment.yaml\nannotations:\n operator.1password.io/inject: \"app-example1\"\n```\n\n### Step 5: Configure the resource's environment\n\nAdd an environment variable to the resource with a value referencing your 1Password item. Use the following secret reference syntax: `op://\u003cvault\u003e/\u003citem\u003e[/section]/\u003cfield\u003e`.\n\n```yaml\nenv:\n - name: DB_USERNAME\n value: op://my-vault/my-item/sql/username\n```\n\n### Step 6: Provide 1Password CLI credentials on your pod or deployment\n\nProvide your Pod or Deployment with 1Password CLI credentials to perform the injection. One possibility to safely provide these credentials is to [create a Kubernetes Secret](#step-1-create-a-kubernetes-secret-containing-opconnecttoken) and refer to it in your deployment configuration.\n\n```yaml\n# your-app-pod/deployment.yaml\nenv:\n - name: OP_CONNECT_HOST\n value: http://onepassword-connect:8080\n - name: OP_CONNECT_TOKEN\n valueFrom:\n secretKeyRef:\n name: connect-token\n key: token\n - name: DB_USERNAME\n value: op://my-vault/my-item/sql/username\n```\n\n## Use with 1Password Service Accounts\n\n### Step 1: Create a Kubernetes secret containing `OP_SERVICE_ACCOUNT_TOKEN`\n\n```\nkubectl create secret generic op-service-account --from-literal=token=YOUR_OP_SERVICE_ACCOUNT_TOKEN\n```\n\n### Step 2: Add the label `secrets-injection=enabled` label to the namespace\n\n```\nkubectl label namespace default secrets-injection=enabled\n```\n\n### Step 3: Deploy injector\n\n```\nmake deploy\n```\n\n**NOTE:** The injector creates the TLS certificate required for the webhook to work on the fly when deploying the injector (`deployment.yaml`). When the injector is removed from the cluster, it will delete the certificate.\n\n### Step 4: Annotate your client pod or deployment with `inject` annotation\n\nAnnotate your client pod or deployment spec with `operator.1password.io/inject`. It expects a comma separated list of the names of the containers that will be mutated and have secrets injected.\n\n```yaml\n# client-deployment.yaml\nannotations:\n operator.1password.io/inject: \"app-example1\"\n```\n\n### Step 5: Annotate your client pod or deployment with `version` annotation\n\nAnnotate your client pod or deployment with the latest version of the 1Password CLI (`2.18.0` or later).\n\n```yaml\n# client-deployment.yaml\nannotations:\n operator.1password.io/version: \"2-beta\"\n```\n\n### Step 6: Configure the resource's environment\n\nAdd an environment variable to the resource with a value referencing your 1Password item. Use the following secret reference syntax: `op://\u003cvault\u003e/\u003citem\u003e[/section]/\u003cfield\u003e`.\n\n```yaml\n# client-deployment.yaml\nenv:\n - name: DB_USERNAME\n value: op://my-vault/my-item/sql/username\n```\n\n### Step 7: Provide 1Password CLI credentials on your pod or deployment\n\nProvide your Pod or Deployment with 1Password CLI credentials to perform the injection. One possibility to safely provide these secrets is to [create a Kubernetes Secret](#step-1-create-a-kubernetes-secret-containing-opserviceaccounttoken) and refer to it in your deployment configuration.\n\n```yaml\n# client-deployment.yaml\nenv:\n - name: OP_SERVICE_ACCOUNT_TOKEN\n valueFrom:\n secretKeyRef:\n name: op-service-account\n key: token\n - name: DB_USERNAME\n value: op://my-vault/my-item/sql/username\n```\n\n## Troubleshooting\n\nIf you can't inject secrets in your pod, make sure:\n\n- The namespace of your pod has the `secrets-injection=enabled` label\n- The 1Password Secret Injector webhook is running (`secrets-injector` by default).\n- Your container has a `command` field specifying the command to run the app in your container\n\n## Security\n\n1Password requests you practice responsible disclosure if you discover a vulnerability.\n\nPlease file requests by sending an email to bugbounty@agilebits.com.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F1password%2Fkubernetes-secrets-injector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F1password%2Fkubernetes-secrets-injector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F1password%2Fkubernetes-secrets-injector/lists"}