Merge pull request #287 from rarguello/1password-connect

Add 1Password Connect and Operator

1password-connect/README.md

@@ -0,0 +1,49 @@
+# 1Password Connect and Operator
+
+Installs 1Password [Connect](https://developer.1password.com/docs/connect/) and [Operator](https://developer.1password.com/docs/k8s/k8s-operator/).
+
+Do not use the `base` directory directly, as you will need to create the appropiate Secrets. The current *overlays* available are:
+
+* [default](aggregate/overlays/default)
+
+## Usage
+
+You need to create the following Secrets in the namespace where you want to install 1Password Connect and Operator:
+
+- `onepassword-credentials`: A JSON file with the 1password credentials.
+- `onepassword-token`: A file with the 1Password token.
+
+You can create the Secrets as part of your own overlay, by using following `kustomization.yaml` file:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - github.com/redhat-cop/gitops-catalog/1password-connect/aggregate/overlays/default?ref=main
+
+secretGenerator:
+  - name: onepassword-credentials
+    behavior: replace
+    files:
+      - 1password-credentials.json
+  - name: onepassword-token
+    behavior: replace
+    envs:
+      - onepassword-token.env
+
+generatorOptions:
+  disableNameSuffixHash: true
+```
+
+You need to execute this command to prepare the `1password-credentials.json` file:
+
+```shell
+cat original-1password-credentials.json | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n' > 1password-credentials.json
+```
+
+The `onepassword-token.env` file is an env file with the following content:
+
+```ini
+token=YOUR-1PASSWORD-TOKEN
+```

1password-connect/aggregate/overlays/default/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../../connect/overlays/default
+  - ../../../operator/overlays/default

1password-connect/connect/base/deployment.yaml

@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: onepassword-connect
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: onepassword-connect
+  template:
+    metadata:
+      labels:
+        app: onepassword-connect
+    spec:
+      serviceAccountName: onepassword-connect
+      volumes:
+        - name: shared-data
+          emptyDir: {}
+      containers:
+        - name: connect-api
+          image: 1password/connect-api:1.7.2
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 999
+            runAsGroup: 999
+            allowPrivilegeEscalation: false
+            ports:
+              - containerPort: 8080
+          env:
+            - name: OP_SESSION
+              valueFrom:
+                secretKeyRef:
+                  name: onepassword-credentials
+                  key: 1password-credentials.json
+            - name: OP_BUS_PORT
+              value: "11220"
+            - name: OP_BUS_PEERS
+              value: localhost:11221
+            - name: OP_HTTP_PORT
+              value: "8080"
+            - name: OP_LOG_LEVEL
+              value: info
+          readinessProbe:
+            httpGet:
+              path: /health
+              scheme: HTTP
+              port: 8080
+            initialDelaySeconds: 15
+          livenessProbe:
+            httpGet:
+              path: /heartbeat
+              scheme: HTTP
+              port: 8080
+            failureThreshold: 3
+            periodSeconds: 30
+            initialDelaySeconds: 15
+          resources:
+            limits:
+              memory: "128Mi"
+              cpu: "0.2"
+          volumeMounts:
+            - mountPath: /home/opuser/.op/data
+              name: shared-data
+        - name: connect-sync
+          image: 1password/connect-sync:1.7.2
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 999
+            runAsGroup: 999
+            allowPrivilegeEscalation: false
+          env:
+            - name: OP_HTTP_PORT
+              value: "8081"
+            - name: OP_SESSION
+              valueFrom:
+                secretKeyRef:
+                  name: onepassword-credentials
+                  key: 1password-credentials.json
+            - name: OP_BUS_PORT
+              value: "11221"
+            - name: OP_BUS_PEERS
+              value: localhost:11220
+            - name: OP_LOG_LEVEL
+              value: info
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8081
+            initialDelaySeconds: 15
+          livenessProbe:
+            httpGet:
+              path: /heartbeat
+              port: 8081
+              scheme: HTTP
+            failureThreshold: 3
+            periodSeconds: 30
+            initialDelaySeconds: 15
+          resources:
+            limits:
+              memory: "128Mi"
+              cpu: "0.2"
+          volumeMounts:
+            - mountPath: /home/opuser/.op/data
+              name: shared-data

1password-connect/connect/base/kustomization.yaml

@@ -0,0 +1,20 @@
+namespace: onepassword
+
+commonLabels:
+  app.kubernetes.io/name: onepassword-connect
+  app.kubernetes.io/component: connect
+
+resources:
+  - namespace.yaml
+  - serviceaccount.yaml
+  - scc.yaml
+  - deployment.yaml
+  - service.yaml
+
+secretGenerator:
+  - name: onepassword-credentials
+    literals:
+      - 1password-credentials.json=Y2hhbmdlbWU=
+
+generatorOptions:
+  disableNameSuffixHash: true

1password-connect/connect/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: onepassword

1password-connect/connect/base/scc.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: onepassword-connect-anyuid
+subjects:
+  - kind: ServiceAccount
+    name: onepassword-connect
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid

1password-connect/connect/base/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: onepassword-connect
+spec:
+  type: ClusterIP
+  selector:
+    app: onepassword-connect
+  ports:
+    - port: 8080
+      name: connect-api

1password-connect/connect/base/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: onepassword-connect

1password-connect/connect/overlays/default/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base

1password-connect/operator/base/clusterrole.yaml

@@ -0,0 +1,80 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: onepassword-connect-operator
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - services
+      - services/finalizers
+      - endpoints
+      - persistentvolumeclaims
+      - events
+      - configmaps
+      - secrets
+      - namespaces
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - daemonsets
+      - replicasets
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - apps
+    resourceNames:
+      - onepassword-connect-operator
+    resources:
+      - deployments/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+      - deployments
+    verbs:
+      - get
+  - apiGroups:
+      - onepassword.com
+    resources:
+      - "*"
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch

1password-connect/operator/base/clusterrolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: onepassword-connect-operator
+subjects:
+  - kind: ServiceAccount
+    name: onepassword-connect-operator
+roleRef:
+  kind: ClusterRole
+  name: onepassword-connect-operator
+  apiGroup: rbac.authorization.k8s.io

1password-connect/operator/base/deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: onepassword-connect-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: onepassword-connect-operator
+  template:
+    metadata:
+      labels:
+        app: onepassword-connect-operator
+    spec:
+      serviceAccountName: onepassword-connect-operator
+      containers:
+        - name: onepassword-connect-operator
+          image: 1password/onepassword-operator:1.8.0
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 65532
+            runAsGroup: 65532
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+          command: ["/manager"]
+          args: [--zap-log-level=info]
+          env:
+            - name: WATCH_NAMESPACE
+              value: ""
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: onepassword-connect-operator
+            - name: OP_CONNECT_HOST
+              value: http://onepassword-connect:8080
+            - name: POLLING_INTERVAL
+              value: "600"
+            - name: OP_CONNECT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: onepassword-token
+                  key: token
+            - name: AUTO_RESTART
+              value: "false"
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64Mi
+            limits:
+              cpu: 500m
+              memory: 128Mi

1password-connect/operator/base/kustomization.yaml

@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: onepassword
+
+commonLabels:
+  app.kubernetes.io/name: onepassword-connect-operator
+  app.kubernetes.io/component: operator
+
+resources:
+  - serviceaccount.yaml
+  - scc.yaml
+  - clusterrole.yaml
+  - clusterrolebinding.yaml
+  - deployment.yaml
+
+secretGenerator:
+  - name: onepassword-token
+    literals:
+      - token=Y2hhbmdlbWU=
+
+generatorOptions:
+  disableNameSuffixHash: true