Skip to content

feat: add automatic imagePullSecret (dockerconfigjson) generation#257

Open
christian-deleon wants to merge 10 commits into1Password:mainfrom
christian-deleon:feat/image-pull-secrets
Open

feat: add automatic imagePullSecret (dockerconfigjson) generation#257
christian-deleon wants to merge 10 commits into1Password:mainfrom
christian-deleon:feat/image-pull-secrets

Conversation

@christian-deleon
Copy link

@christian-deleon christian-deleon commented Mar 4, 2026

✨ Summary

Adds imagePullSecret config to OnePasswordItem, allowing the operator to automatically generate properly formatted kubernetes.io/dockerconfigjson secrets from 1Password item fields.

Motivation: Image pull secrets require a specific .dockerconfigjson format with base64-encoded auth. Currently users must either manually create these secrets or use external tooling. This feature lets the operator handle it natively by mapping 1Password fields to the required registry, username, password, and email values.

Example:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: my-registry-creds
spec:
  itemPath: "vaults/my-vault/items/registry-creds"
  imagePullSecret:
    registryField: registry
    usernameField: username
    passwordField: password
    emailField: email

Produces:

{
  "auths": {
    "ghcr.io": {
      "username": "myuser",
      "password": "mytoken",
      "email": "me@example.com",
      "auth": "bXl1c2VyOm15dG9rZW4="
    }
  }
}

What's included:

  • ImagePullSecretConfig type added to OnePasswordItemSpec with field mappings (registryField, usernameField, passwordField, emailField)
  • BuildDockerConfigJSON builder in pkg/template/imagepullsecret.go
  • ImagePullSecret processing integrated into BuildKubernetesSecretData as priority 1 (before template and default)
  • Controller auto-sets kubernetes.io/dockerconfigjson secret type when imagePullSecret is configured
  • Background polling handler preserves imagePullSecret config when re-rendering secrets
  • Deployment restart detection now checks pod.Spec.ImagePullSecrets[] references
  • USAGEGUIDE.md updated with imagePullSecret documentation

Depends on: #256 (Go template support) — this PR builds on the template PR's API and builder signature changes.

🔗 Resolves:

N/A — new feature

✅ Checklist

  • 🖊️ Commits are signed
  • 🧪 Tests added/updated:
    • 🔹 Unit — dockerconfigjson builder tests, deployment imagePullSecrets detection tests
    • 🔸 Integration — controller tests for imagePullSecret rendering via envtest
    • 🌐 E2E (Connect) — not added (requires 1Password vault fixtures)
    • 🔑 E2E (Service Account) — not added (requires 1Password vault fixtures)
  • 📚 Docs updated (USAGEGUIDE.md)

🕵️ Review Notes & ⚠️ Risks

  • Priority system: ImagePullSecret is priority 1 in BuildKubernetesSecretData. If configured but fields are missing/invalid, it falls back to the default field mapping with a logged error.
  • No breaking changes: The imagePullSecret field is optional. Existing resources behave identically.
  • Restart detection: Added AreImagePullSecretsUsingSecrets and AppendUpdatedImagePullSecrets so deployments referencing updated imagePullSecrets via pod.Spec.ImagePullSecrets are properly detected for auto-restart.
  • Dependency: This PR includes commits from feat: add Go template support for secret data rendering #256 in its base. Once feat: add Go template support for secret data rendering #256 merges, the diff will show only the imagePullSecret-specific changes.
  • E2E tests require 1Password vault access — maintainers can validate with /ok-to-test.

@christian-deleon
feat(model): add section and field metadata to Item
6603f9f 
Add ID, SectionID, and FieldType fields to ItemField. Add ItemSection
struct and Sections slice to Item. Enrich FromConnectItem and FromSDKItem
to populate section metadata from the respective SDK types.

This metadata is needed to support Go template rendering where users can
reference fields by section (e.g. .Sections.Database.username).
@christian-deleon
feat(api): add SecretTemplate type to OnePasswordItem spec
bcbf8fa 
Add SecretTemplate struct with a Data map[string]string field and an
optional Template pointer on OnePasswordItemSpec. Regenerate deepcopy
methods and CRD manifests.

This allows users to define Go template strings per secret key in their
OnePasswordItem resources.
@christian-deleon
feat(template): add Go template engine for secret data
7e62219 
Add pkg/template with BuildTemplateContext and ProcessTemplate functions.
BuildTemplateContext constructs a TemplateContext from a model.Item with
three access patterns: .Fields (flat by label), .Sections (nested by
section title), and .FieldsByID (by unique field ID).

ProcessTemplate parses and executes a Go template string against the
context, returning the rendered bytes.
@christian-deleon
feat(secrets): integrate template processing into builder and control…
088ed6e 
…lers

Update BuildKubernetesSecretData to accept a model.Item and optional
SecretTemplate instead of decomposed fields/urls/files. When a template
is provided, render each key through the Go template engine and return
only the templated keys. Fall back to default field/URL/file mapping
when no template is set.

Thread the SecretTemplate parameter through CreateKubernetesSecretFromItem
and BuildKubernetesSecretFromOnePasswordItem. The OnePasswordItem
controller extracts the template from the resource spec; the deployment
controller and secret update handler pass nil (no template support for
annotation-based secrets).

Update all existing test call sites and add template-specific unit tests
covering multi-key templates, section access, hyphenated keys via index,
invalid template handling, nil template fallback, and end-to-end secret
creation. Add integration tests for template rendering in the controller
test suite.
@christian-deleon
docs: add secret template documentation
d16d1f7 
Document the template feature in USAGEGUIDE.md including basic usage,
multiple keys, template context reference (.Fields, .Sections,
.FieldsByID, index for special characters), and behaviour notes.
@christian-deleon
fix(secrets): preserve template config during background polling
acd3af4
@christian-deleon
feat(api): add ImagePullSecretConfig type and dockerconfigjson builder
ceb1ff0 
Add ImagePullSecretConfig struct to OnePasswordItem spec for configuring
automatic dockerconfigjson generation from 1Password item fields. Users
specify which fields map to registry, username, password, and email.

Add BuildDockerConfigJSON function in the template package that produces
properly structured .dockerconfigjson with base64-encoded auth.
@christian-deleon
feat(secrets): integrate image pull secret into builder and controllers
9544849 
Thread imagePullSecret config through CreateKubernetesSecretFromItem,
BuildKubernetesSecretFromOnePasswordItem, and BuildKubernetesSecretData.

When imagePullSecret is configured, the operator builds a properly
formatted .dockerconfigjson from the specified 1Password fields. The
controller auto-sets the secret type to kubernetes.io/dockerconfigjson
when imagePullSecret is present and no type is explicitly set.

Priority order: imagePullSecret > template > default field mapping.
@christian-deleon
docs: add image pull secret documentation
d26f538 
Add Image Pull Secrets section to USAGEGUIDE.md with quick example,
configuration reference, and behaviour notes.
@christian-deleon
fix(secrets): preserve imagePullSecret on polling and detect imagePul…
43d8786 
…lSecrets for restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christian-deleon