onepassword-operator icon indicating copy to clipboard operation
onepassword-operator copied to clipboard
verified publisher icon 1Password

Labels should not be propagated from OnePasswordItem objects to Secret objects

Open uhthomas opened this issue 2 years ago • 5 comments

Your environment

Operator Version: v1.8.0

Connect Server Version: N/A

Kubernetes Version: N/A

What happened?

As explained in a different project, propagating annotations and labels can be dangerous. In my case, this makes the operator incompatible with Kubernetes ApplySets.

https://kubernetes.io/blog/2023/05/09/introducing-kubectl-applyset-pruning/

https://github.com/spotahome/redis-operator/issues/592

What did you expect to happen?

Labels should not be propagated from OnePasswordItem objects to Secret objects

Steps to reproduce

  1. Create a OnePasswordItem object
  2. Observe all annotations and labels are propagated

Notes & Logs

https://github.com/1Password/onepassword-operator/issues/144

https://github.com/1Password/onepassword-operator/issues/114

https://github.com/1Password/onepassword-operator/issues/102

https://github.com/1Password/onepassword-operator/issues/96

https://github.com/1Password/onepassword-operator/issues/84

https://github.com/1Password/onepassword-operator/issues/41

uhthomas avatar Nov 04 '23 14:11 uhthomas

There is also no workaround for this, as the operator does not support StatefulSet objects.

https://github.com/1Password/onepassword-operator/issues/18

uhthomas avatar Nov 04 '23 14:11 uhthomas

In addition, the secret is never recreated after it's pruned because of https://github.com/1Password/onepassword-operator/issues/177.

uhthomas avatar Nov 04 '23 14:11 uhthomas

A 'should not be' is quite a strong and one-sided opinion. We, for example, rely on this particular functionality to deploy ArgoCD secrets (repository credentials, etc.) that must be labeled appropriately for ArgoCD to find them (argocd.argoproj.io/secret-type). There are multiple other objects that rely on labels/annotations, as mentioned in related issues.

As mentioned in #144 , there should be a way to support both options.

ak-sundae avatar Feb 16 '24 04:02 ak-sundae

Inline with the behaviour of native Kubernetes resources, this should at least not be the default behaviour.

https://github.com/kubernetes/kubernetes/issues/92896#issuecomment-655540826

I do appreciate it may be desirable for some, and so should be optional.

uhthomas avatar Feb 16 '24 09:02 uhthomas