Helm chart configuration
This page documents the configuration options for the 1Password Helm charts:
Connect and Operator Helm chart
The 1Password Connect and Operator Helm chart allows you to use Helm to deploy Connect, the Kubernetes Operator, or both.
You can override configuration values in a chart with the helm install command using either the --values flag or the --set flag. You can also force a string value with the --set-string flag.
For example, the following code block shows how to use the --set flag to set the connect.applicationName configuration value:
Refer to the official helm install documentation for more information.
info
By default, installing a 1Password Helm chart also installs the OnePasswordItem database operations for CRD (Custom Resource Definition).
If you don't want to install the OnePasswordItem custom resource definitions (CRD), run helm install with the --skip-crds flag .
Configuration options
The following table documents the available configuration options for the 1Password Connect and Operator Helm chart.
tip
If you have a large configuration value, use --set-file to read the single large value from the file (instead of --values or --set).
For example:
| Key | Type | Default | Description |
|---|---|---|---|
connect.create | boolean | true | Denotes whether to deploy the 1Password Connect server. Set this value to false and operator.create to true to only deploy the Kubernetes Operator. See Deploy without Connect. |
connect.replicas | integer | 1 | The number of replicas to run the 1Password Connect deployment. |
connect.applicationName | string | "onepassword-connect" | The name of 1Password Connect application. |
connect.host | string | "onepassword-connect" | The name of 1Password Connect host. |
connect.api.imageRepository | string | "1password/connect-api | The 1Password Connect API repository. |
connect.api.name | string | "connect-api" | The name of the 1Password Connect API container. |
connect.api.resources | object | {} | The resources requests/limits for the 1Password Connect API pod. |
connect.api.httpPort | integer | 8080 | The port the Connect API is served on when not using TLS. |
connect.api.httpsPort | integer | 8443 | The port the Connect API is served on when using TLS. |
connect.api.logLevel | string | info | The log level of the Connect API container. Valid options are trace, debug, info, warn, and error. |
connect.credentials | jsonString | The contents of the 1password-credentials.json file for Connect. You can set it by adding --set-file connect.credentials=<path/to/1password-credentials.json> to your helm install command. | |
connect.credentials_base64 | string | The base64-encoded contents of the 1password-credentials.json file for Connect. You can use this instead of connect.credentials if supplying raw JSON to connect.credentials lead to issues. | |
connect.credentialsKey | string | "1password-credentials.json" | The key for the 1Password Connect credentials (stored in the credentials secret). The credentials must be encoded as a base64 string. |
connect.credentialsName | string | "op-credentials" | The name of Kubernetes Secret containing the 1Password Connect credentials. |
connect.dataVolume.name | string | "shared-data" | The name of the shared volume used between 1Password Connect containers. |
connect.dataVolume.type | string | "emptyDir" | The type of shared volume used between 1Password Connect containers. |
connect.dataVolume.values | object | {} | Describes the fields and values for the configuration of the shared volume for 1Password Connect. |
connect.imagePullPolicy | string | "IfNotPresent" | The 1Password Connect API image pull policy. |
connect.ingress.annotations | object | {} | The 1Password Connect ingress annotations. |
connect.ingress.enabled | bool | false | Whether to enable 1Password Connect ingress traffic. |
connect.ingress.extraPaths | list | [] | Additional ingress paths. |
connect.ingress.hosts[0].host | string | "chart-example.local" | The 1Password Connect ingress hostname. |
connect.ingress.hosts[0].paths | list | [] | The 1Password Connect ingress path. |
connect.ingress.ingressClassName | string | "" | Optionally use ingressClassName instead of a deprecated annotation. |
connect.ingress.labels | object | {} | Ingress labels for 1Password Connect. |
connect.ingress.pathType | string | "Prefix" | Ingress PathType . |
connect.ingress.tls | list | [] | Ingress TLS . |
connect.nodeSelector | object | {} | The Node selector stanza for the Connect pod. |
connect.probes.readiness | boolean | true | Denotes whether the 1Password Connect API readiness probe operates and ensures the pod is ready before serving traffic. |
connect.probes.liveness | boolean | true | Denotes whether Kubernetes continually checks the 1Password Connect API for liveness and restarts if the pod becomes unresponsive. |
connect.annotations | object | {} | Additional annotations to add to the Connect API deployment resource. |
connect.labels | object | {} | Additional labels to add to the Connect API deployment resource. |
connect.podAnnotations | object | {} | Additional annotations to be added to the Connect API pods. |
connect.podLabels | object | {} | Additional labels to be added to the Connect API pods. |
connect.serviceType | string | NodePort | The type of Service resource to create for the Connect API and Connect Sync services. |
connect.serviceAnnotations | object | {} | Additional annotations to be added to the service. |
connect.sync.imageRepository | string | "1password/connect-sync" | The 1Password Connect Sync repository. |
connect.sync.name | string | "connect-sync" | The name of the 1Password Connect Sync container. |
connect.sync.resources | object | {} | The resources requests/limits for the 1Password Connect Sync pod. |
connect.sync.httpPort | integer | 8081 | The port serving the health of the Connect Sync container. |
connect.sync.logLevel | string | info | The log level of the Connect Sync container. Valid options are trace, debug, info, warn, and error. |
connect.tls.enabled | boolean | false | Denotes whether the Connect API is secured with TLS. |
connect.tls.secret | string | "op-connect-tls" | The name of the secret containing the TLS key (tls.key) and certificate (tls.crt). |
connect.tolerations | list | [] | A list of tolerations to be added to the Connect API pods. |
connect.version | string | {{.Chart.AppVersion}} | The 1Password Connect version to pull. |
operator.autoRestart | boolean | false | Denotes whether the Kubernetes Operator automatically restarts deployments based on associated updated secrets. See Automatic redeployment. |
operator.create | boolean | false | Denotes whether to deploy the Kubernetes Operator. You can set this to false to only deploy Connect. |
operator.imagePullPolicy | string | "IfNotPresent" | The Kubernetes Operator image pull policy. |
operator.imageRepository | string | "1password/onepassword-operator" | The Kubernetes Operator repository. |
operator.nodeSelector | object | {} | Node selector stanza for the Kubernetes Operator pod. |
operator.annotations | object | {} | Additional annotations to add to the Kubernetes Operator deployment resource. |
operator.labels | object | {} | Additional labels to be added to the Operator deployment resource. |
operator.logLevel | string | info | The log level of the Kubernetes Operator container. Valid options are: debug, info, and error. |
operator.podAnnotations | object | {} | Additional annotations to add to the Kubernetes Operator pods. |
operator.podLabels | object | {} | Additional labels to add to the Kubernetes Operator pods. |
operator.pollingInterval | integer | 600 | The interval at which the Kubernetes Operator polls for secrets updates. |
operator.clusterRole.create | boolean | {{.Values.operator.create}} | Denotes whether to create a cluster role for the Kubernetes Operator. |
operator.clusterRole.name | string | "onepassword-connect-operator" | The name of the Kubernetes Operator Cluster Role . |
operator.clusterRoleBinding.create | boolean | {{.Values.operator.create}} | Denotes whether to create a ClusterRole binding for the Kubernetes Operator Service Account. |
operator.roleBinding.create | boolean | {{.Values.operator.create}} | Denotes whether to create a role binding for each Namespace for the Kubernetes Operator Service Account. |
operator.roleBinding.name | string | "onepassword-connect-operator" | The name of the Kubernetes Operator Role Binding. |
operator.serviceAccount.annotations | object | {} | The annotations for the 1Password Connect Service Account. |
operator.serviceAccount.create | boolean | {{.Values.operator.create}} | Denotes whether to create a Service Account for the Kubernetes Operator. |
operator.serviceAccount.name | string | "onepassword-connect-operator" | The name of the Kubernetes Operator. |
operator.tolerations | list | [] | A list of tolerations to add to the Kubernetes Operator pods. |
operator.version | string | "1.8.0" | The Kubernetes Operator version to pull. It defaults to the latest version. |
operator.token.key | string | "token" | The key for the 1Password Connect token (stored in the 1Password token secret). |
operator.token.name | string | "onepassword-token" | The name of Kubernetes Secret containing the 1Password Connect API token. |
operator.token.value | string | "onepassword-token" | An API token generated for 1Password Connect to be used by the Kubernetes Operator. |
operator.watchNamespace | list | [] | A list of namespaces for the Kubernetes Operator to watch and manage. Use the empty list to watch all namespaces. |
operator.resources | object | {} | The resources requests/limits for the Kubernetes Operator pod. |
Secrets Injector Helm chart
The 1Password Secrets Injector Helm chart allows you to use Helm to deploy the Kubernetes Secrets Injector.
You can override configuration values in a chart with the helm install command using either the --values flag or the --set flag. You can also force a string value with the --set-string flag.
For example, the following code block shows how to use the --set flag to set the injector.applicationName configuration value:
Refer to the official helm install documentation for more information.
Configuration options
The following table documents the available configuration options for the Secrets Injector Helm chart.
tip
If you have a large configuration value, use --set-file to read the single large value from the file (instead of --values or --set).
For example:
| Key | Type | Default | Description |
|---|---|---|---|
injector.applicationName | string | "secrets-injector" | The name of 1Password Kubernetes Secrets Injector Application. |
injector.imagePullPolicy | string | "IfNotPresent" | The 1Password Secrets Injector Docker image policy. "IfNotPresent" means the image is pulled only if it is not already present locally. |
injector.imageRepository | string | "1password/kubernetes-secrets-injector" | The 1Password Secrets Injector docker image repository. |
injector.port | string | 443 | The port the Secrets Injector exposes. |
injector.targetPort | integer | 8443 | The port the Secrets Injector API sends requests to the pod. |
injector.version | string | {{.Chart.AppVersion}} | The 1Password Secrets Injector version to pull. |