Skip to content

feat: add Go template support for secret data rendering#256

Open
christian-deleon wants to merge 6 commits into1Password:mainfrom
christian-deleon:feat/secret-templates
Open

feat: add Go template support for secret data rendering#256
christian-deleon wants to merge 6 commits into1Password:mainfrom
christian-deleon:feat/secret-templates

Conversation

@christian-deleon
Copy link

@christian-deleon christian-deleon commented Mar 4, 2026

✨ Summary

Adds Go template support to OnePasswordItem, allowing users to define custom secret data keys using Go templates rendered against the 1Password item's fields, sections, and metadata.

Motivation: The current 1:1 field-to-key mapping is limiting for use cases that require combining fields, reformatting values, or constructing connection strings (e.g. DSNs, URIs). This feature lets users express those transformations declaratively in the CRD spec.

Example:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: db-credentials
spec:
  itemPath: "vaults/my-vault/items/my-db"
  template:
    data:
      DSN: "postgres://{{ .Fields.username }}:{{ .Fields.password }}@{{ .Fields.host }}:{{ .Fields.port }}/{{ .Fields.database }}"
      config.yaml: |
        host: {{ .Fields.host }}
        port: {{ .Fields.port }}

What's included:

  • SecretTemplate type added to OnePasswordItemSpec with template.data map
  • Go template engine (pkg/template/) with BuildTemplateContext and ProcessTemplate
  • Template context exposes .Fields (flat), .Sections (nested by section label), and .FieldsByID
  • Section and field metadata enrichment in pkg/onepassword/model/ (ID, SectionID, FieldType)
  • Template processing integrated into BuildKubernetesSecretData as priority 2 (after imagePullSecret, before default)
  • Background polling handler preserves template config when re-rendering secrets
  • USAGEGUIDE.md updated with template documentation and examples

🔗 Resolves:

N/A — new feature

✅ Checklist

  • 🖊️ Commits are signed
  • 🧪 Tests added/updated:
    • 🔹 Unit — template engine tests (pkg/template/template_test.go), model metadata tests
    • 🔸 Integration — controller tests for template rendering via envtest
    • 🌐 E2E (Connect) — not added (requires 1Password vault fixtures)
    • 🔑 E2E (Service Account) — not added (requires 1Password vault fixtures)
  • 📚 Docs updated (USAGEGUIDE.md)

🕵️ Review Notes & ⚠️ Risks

  • Priority system in BuildKubernetesSecretData: Template rendering is priority 2. If a template is defined, it completely replaces the default field/URL/file mapping. This is intentional — templates give full control over output.
  • No breaking changes: The template field is optional. Existing OnePasswordItem resources without template behave identically to before.
  • Background polling: The secret update handler now looks up the OnePasswordItem CR to retrieve template config when re-rendering secrets during polling, instead of passing nil.
  • E2E tests require 1Password vault access — maintainers can validate with /ok-to-test.

@christian-deleon
feat(model): add section and field metadata to Item
6603f9f 
Add ID, SectionID, and FieldType fields to ItemField. Add ItemSection
struct and Sections slice to Item. Enrich FromConnectItem and FromSDKItem
to populate section metadata from the respective SDK types.

This metadata is needed to support Go template rendering where users can
reference fields by section (e.g. .Sections.Database.username).
@christian-deleon
feat(api): add SecretTemplate type to OnePasswordItem spec
bcbf8fa 
Add SecretTemplate struct with a Data map[string]string field and an
optional Template pointer on OnePasswordItemSpec. Regenerate deepcopy
methods and CRD manifests.

This allows users to define Go template strings per secret key in their
OnePasswordItem resources.
@christian-deleon
feat(template): add Go template engine for secret data
7e62219 
Add pkg/template with BuildTemplateContext and ProcessTemplate functions.
BuildTemplateContext constructs a TemplateContext from a model.Item with
three access patterns: .Fields (flat by label), .Sections (nested by
section title), and .FieldsByID (by unique field ID).

ProcessTemplate parses and executes a Go template string against the
context, returning the rendered bytes.
@christian-deleon
feat(secrets): integrate template processing into builder and control…
088ed6e 
…lers

Update BuildKubernetesSecretData to accept a model.Item and optional
SecretTemplate instead of decomposed fields/urls/files. When a template
is provided, render each key through the Go template engine and return
only the templated keys. Fall back to default field/URL/file mapping
when no template is set.

Thread the SecretTemplate parameter through CreateKubernetesSecretFromItem
and BuildKubernetesSecretFromOnePasswordItem. The OnePasswordItem
controller extracts the template from the resource spec; the deployment
controller and secret update handler pass nil (no template support for
annotation-based secrets).

Update all existing test call sites and add template-specific unit tests
covering multi-key templates, section access, hyphenated keys via index,
invalid template handling, nil template fallback, and end-to-end secret
creation. Add integration tests for template rendering in the controller
test suite.
@christian-deleon
docs: add secret template documentation
d16d1f7 
Document the template feature in USAGEGUIDE.md including basic usage,
multiple keys, template context reference (.Fields, .Sections,
.FieldsByID, index for special characters), and behaviour notes.
@christian-deleon
fix(secrets): preserve template config during background polling
acd3af4
@christian-deleon christian-deleon mentioned this pull request Mar 4, 2026
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christian-deleon