Support Service Accounts

[mt35-rs]

Summary

With Service Account functionality now released, will this be supported in the 1Password Operator? This would allow the operator to be used without the Connect server.

Use cases

Running an Operator to automatically generate and update Kubernetes secrets from 1Password items. Basically, same use case as always, just doing so without having to provision a Connect server in the same cluster.

Proposed solution

Support the OP_SERVICE_ACCOUNT_TOKEN environment variable used to authenticate against a service account. Resolution of 1Password items would then use the service account token to communicate directly with 1Password rather than using the Connect server.

Is there a workaround to accomplish this today?

The only option I'm currently aware of is to run a private Connect server which consumes cluster resources.

References & Prior Work

I'm pretty sure the Kubernetes Secret Injector for 1Password supports this as does the op CLI tool. It would be useful if the various SDKs and this Operator would also support service accounts.

[ThinkBriK]

Go SDK would be huge for integrations.

[edif2008]

Hey there.
Thank you for expressing your interest in supporting service accounts with the operator.
I can't provide any timelines of when we will look further into this, but we will keep you updated when there's progress on it. 😄