1Password
diff --git a/‎.VERSION‎
Lines changed: 1 addition & 1 deletion b/‎.VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/pr-check-signed-commits.yml‎
Lines changed: 13 additions & 0 deletions b/‎.github/workflows/pr-check-signed-commits.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 12 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 4 additions & 3 deletions b/‎Dockerfile‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 10 additions & 5 deletions b/‎README.md‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎USAGEGUIDE.md‎
Lines changed: 58 additions & 112 deletions b/‎USAGEGUIDE.md‎
Lines changed: 58 additions & 112 deletions
@@ -1 +1 @@
-1.8.1
+1.9.0
@@ -0,0 +1,13 @@
+name: Check signed commits in PR
+on: pull_request_target
+
+jobs:
+  build:
+    name: Check signed commits in PR
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@v1
@@ -12,6 +12,18 @@
 
 ---
 
+[//]: # (START/v1.9.0)
+# v1.9.0
+
+## Features
+  * Enable the Operator to authenticate to 1Password using service accounts. {#160}
+
+## Fixes
+ * Update Operator to use SDK v1.34.1. {#185}
+ * Pass Kubernetes context down to SDK/Connect. {#199}
+
+---
+
 [//]: # (START/v1.8.1)
 # v1.8.1
 
 
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.21 as builder
+FROM golang:1.24 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -8,13 +8,15 @@ WORKDIR /workspace
 COPY go.mod go.mod
 COPY go.sum go.sum
 
+# Download dependencies
+RUN go mod download
+
 # Copy the go source
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/controller/ internal/controller/
 COPY pkg/ pkg/
 COPY version/ version/
-COPY vendor/ vendor/
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
@@ -25,7 +27,6 @@ RUN CGO_ENABLED=0 \
     GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
     go build \
     -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \
-    -mod vendor \
     -a -o manager cmd/main.go
 
 # Use distroless as minimal base image to package the manager binary
 
@@ -5,7 +5,7 @@ export MAIN_BRANCH ?= main
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.8.1
+VERSION ?= 1.9.0
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
 
@@ -17,32 +17,39 @@ The 1Password Connect Kubernetes Operator provides the ability to integrate Kube
 
 ### 🚀 Quickstart
 
-1. Add the [1Passsword Helm Chart](https://github.com/1Password/connect-helm-charts) to your repository.
+1. Add the [1Password Helm Chart](https://github.com/1Password/connect-helm-charts) to your repository.
 
 2. Run the following command to install Connect and the 1Password Kubernetes Operator in your infrastructure:
+
 ```
 helm install connect 1password/connect --set-file connect.credentials=1password-credentials-demo.json --set operator.create=true --set operator.token.value = <your connect token>
 ```
 
 3. Create a Kubernetes Secret from a 1Password item:
-```apiVersion: onepassword.com/v1
+
+```
+apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
   name: <item_name> #this name will also be used for naming the generated kubernetes secret
 spec:
   itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
 ```
+
 Deploy the OnePasswordItem to Kubernetes:
+
 ```
 kubectl apply -f <your_item>.yaml
 ```
+
 Check that the Kubernetes Secret has been generated:
 
 ```
 kubectl get secret <secret_name>
 ```
 
 ### 📄 Usage
+
 Refer to the [Usage Guide](USAGEGUIDE.md) for documentation on how to deploy and use the 1Password Operator.
 
 ## 💙 Community & Support
@@ -55,6 +62,4 @@ Refer to the [Usage Guide](USAGEGUIDE.md) for documentation on how to deploy and
 
 1Password requests you practice responsible disclosure if you discover a vulnerability.
 
-Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits).
-
-For information about security practices, please visit the [1Password Bug Bounty Program](https://bugcrowd.com/agilebits).
+Please file requests by sending an email to [email protected].
@@ -5,80 +5,71 @@
 
 ## Table of Contents
 
-- [Prerequisites](#prerequisites)
-- [Deploying 1Password Connect to Kubernetes](#deploying-1password-connect-to-kubernetes)
-- [Kubernetes Operator Deployment](#kubernetes-operator-deployment)
-- [Usage](#usage)
-- [Configuring Automatic Rolling Restarts of Deployments](#configuring-automatic-rolling-restarts-of-deployments)
-- [Development](#development)
+1. [Configuration Options](#configuration-options)
+2. [Use Kubernetes Operator with Service Account](#use-kubernetes-operator-with-service-account)
+    - [Create a Service Account](#1-create-a-service-account)
+    - [Create a Kubernetes secret](#2-create-a-kubernetes-secret-for-the-service-account)
+    - [Deploy the Operator](#3-deploy-the-operator)
+3. [Use Kubernetes Operator with Connect](#use-kubernetes-operator-with-connect)
+    - [Deploy with Helm](#1-deploy-with-helm)
+    - [Deploy manually](#2-deploy-manually)
+4. [Logging level](#logging-level)
+5. [Usage examples](#usage-examples)
+6. [How 1Password Items Map to Kubernetes Secrets](#how-1password-items-map-to-kubernetes-secrets)
+7. [Configuring Automatic Rolling Restarts of Deployments](#configuring-automatic-rolling-restarts-of-deployments)
+8. [Development](#development)
 
-## Prerequisites
 
-- [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
-- [`kubectl` installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-- [`docker` installed](https://docs.docker.com/get-docker/)
-- [A `1password-credentials.json` file generated and a 1Password Connect API Token issued for the K8s Operator integration](https://developer.1password.com/docs/connect/get-started/#step-1-set-up-a-secrets-automation-workflow)
-
-## Deploying 1Password Connect to Kubernetes
-
-If 1Password Connect is already running, you can skip this step.
-
-There are options to deploy 1Password Connect:
-
-- [Deploy with Helm](#deploy-with-helm)
-- [Deploy using the Connect Operator](#deploy-using-the-connect-operator)
-
-### Deploy with Helm
-
-The 1Password Connect Helm Chart helps to simplify the deployment of 1Password Connect and the 1Password Connect Kubernetes Operator to Kubernetes.
-
-[The 1Password Connect Helm Chart can be found here.](https://github.com/1Password/connect-helm-charts)
-
-### Deploy using the Connect Operator
+---
 
-This guide will provide a quickstart option for deploying a default configuration of 1Password Connect via starting the deploying the 1Password Connect Operator, however, it is recommended that you instead deploy your own manifest file if customization of the 1Password Connect deployment is desired.
+## Configuration options
+There are 2 ways 1Password Operator can talk to 1Password servers:
+- [1Password Service Accounts](https://developer.1password.com/docs/service-accounts)
+- [1Password Connect](https://developer.1password.com/docs/connect/)
 
-Encode the `1password-credentials.json` file you generated in the prerequisite steps and save it to a file named `op-session`:
+---
 
-```bash
-cat 1password-credentials.json | base64 | \
-  tr '/+' '_-' | tr -d '=' | tr -d '\n' > op-session
-```
+##  Use Kubernetes Operator with Service Account
 
-Create a Kubernetes secret from the op-session file:
+### 1. [Create a service account](https://developer.1password.com/docs/service-accounts/get-started#create-a-service-account)
+### 2. Create a Kubernetes secret for the Service Account
+- Set `OP_SERVICE_ACCOUNT_TOKEN` environment variable to the service account token you created in the previous step. This token will be used by the operator to access 1Password items.
+- Create Kubernetes secret:
 
 ```bash
-kubectl create secret generic op-credentials --from-file=op-session
+kubectl create secret generic onepassword-service-account-token --from-literal=token="$OP_SERVICE_ACCOUNT_TOKEN"
 ```
 
-Add the following environment variable to the onepassword-connect-operator container in `/config/manager/manager.yaml`:
+### 3. Deploy the Operator
 
-```yaml
-- name: MANAGE_CONNECT
-  value: "true"
-```
-
-Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the current namespace.
+An sample Deployment yaml can be found at `/config/manager/manager.yaml`.
+To use Operator with Service Account, you need to set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable in the `/config/manager/manager.yaml`. And remove `OP_CONNECT_TOKEN` and `OP_CONNECT_HOST` environment variables.
 
-### Kubernetes Operator Deployment
+To further configure the 1Password Kubernetes Operator the following Environment variables can be set in the operator yaml:
 
-#### Create Kubernetes Secret for OP_CONNECT_TOKEN ####
+- **OP_SERVICE_ACCOUNT_TOKEN** *(required)*: Specifies Service Account token within Kubernetes to access the 1Password items.
+- **WATCH_NAMESPACE:** *(default: watch all namespaces)*: Comma separated list of what Namespaces to watch for changes.
+- **POLLING_INTERVAL** *(default: 600)*: The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password.
+- **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
 
-Create a Connect token for the operator and save it as a Kubernetes Secret:
+To deploy the operator, simply run the following command:
 
-```bash
-kubectl create secret generic onepassword-token --from-literal=token="<OP_CONNECT_TOKEN>"
+```shell
+make deploy
 ```
 
-If you do not have a token for the operator, you can generate a token and save it to Kubernetes with the following command:
+**Undeploy Operator**
 
-```bash
-kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
+```
+make undeploy
 ```
 
-**Deploying the Operator**
+---
 
-An sample Deployment yaml can be found at `/config/manager/manager.yaml`.
+## Use Kubernetes Operator with Connect
+
+### 1. [Deploy with Helm](https://developer.1password.com/docs/k8s/operator/?deployment-type=helm#helm-step-1)
+### 2. [Deploy manually](https://developer.1password.com/docs/k8s/operator/?deployment-type=manual#manual-step-1)
 
 To further configure the 1Password Kubernetes Operator the following Environment variables can be set in the operator yaml:
 
@@ -88,89 +79,42 @@ To further configure the 1Password Kubernetes Operator the following Environment
 - **MANAGE_CONNECT** *(default: false)*: If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the current namespace.
 - **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
 
-You can also set the logging level by setting `--zap-log-level` as an arg on the containers to either `debug`, `info` or `error`. (Note: the default value is `debug`.)
+---
+
+## Logging level
+You can set the logging level by setting `--zap-log-level` as an arg on the containers to either `debug`, `info` or `error`. The default value is `debug`.
 
 Example:
 ```yaml
-.
-.
-.
+....
 containers:
       - command:
         - /manager
         args:
         - --leader-elect
         - --zap-log-level=info
         image: 1password/onepassword-operator:latest
-.
-.
-.
+....
 ```
-To deploy the operator, simply run the following command:
 
-```shell
-make deploy
-```
-
-**Undeploy Operator**
-
-```
-make undeploy
-```
-
-## Usage
-
-To create a Kubernetes Secret from a 1Password item, create a yaml file with the following
-
-```yaml
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: <item_name> #this name will also be used for naming the generated kubernetes secret
-spec:
-  itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
-```
-
-Deploy the OnePasswordItem to Kubernetes:
-
-```bash
-kubectl apply -f <your_item>.yaml
-```
-
-To test that the Kubernetes Secret check that the following command returns a secret:
-
-```bash
-kubectl get secret <secret_name>
-```
-
-**Note:** Deleting the `OnePasswordItem` that you've created will automatically delete the created Kubernetes Secret.
+---
 
-To create a single Kubernetes Secret for a deployment, add the following annotations to the deployment metadata:
+## Usage examples
+Find usage [examples](https://developer.1password.com/docs/k8s/operator/?deployment-type=manual#usage-examples) on 1Password developer documentation.
 
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: deployment-example
-  annotations:
-    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
-    operator.1password.io/item-name: "<secret_name>"
-```
+---
 
-Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
+## How 1Password Items Map to Kubernetes Secrets
 
 The contents of the Kubernetes secret will be key-value pairs in which the keys are the fields of the 1Password item and the values are the corresponding values stored in 1Password.
 In case of fields that store files, the file's contents will be used as the value.
 
 Within an item, if both a field storing a file and a field of another type have the same name, the file field will be ignored and the other field will take precedence.
 
-**Note:** Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-path` and `operator.1password.io/item-name` and no other deployment is using the secret.
+Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-path` and `operator.1password.io/item-name` and no other deployment is using the secret.
 
 If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag `operator.1password.io:ignore-secret` to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.
 
----
-
-**NOTE**
 
 If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item.
 
@@ -237,6 +181,8 @@ metadata:
 
 If the value is not set, the auto restart settings on the deployment will be used.
 
+---
+
 ## Development
 
 ### How it works