@kustodian/plugin-1password 1.0.0 → 1.1.0

package/README.md

@@ -0,0 +1,77 @@
+# @kustodian/plugin-1password
+
+1Password secret provider plugin for [Kustodian](https://github.com/lucasilverentand/kustodian). Securely inject secrets from 1Password into your Kubernetes manifests using the 1Password CLI.
+
+## Installation
+
+```bash
+bun add @kustodian/plugin-1password
+```
+
+## Prerequisites
+
+- [1Password CLI](https://developer.1password.com/docs/cli/) (`op`) installed and available in your PATH
+- Authentication configured via service account token or interactive sign-in
+
+## Usage
+
+### As a Kustodian Plugin
+
+```typescript
+import { create_onepassword_plugin } from '@kustodian/plugin-1password';
+
+const plugin = create_onepassword_plugin({
+  service_account_token: process.env.OP_SERVICE_ACCOUNT_TOKEN,
+  timeout: 30000,
+  fail_on_missing: true,
+});
+```
+
+### Direct Secret Access
+
+```typescript
+import { op_read, op_read_batch, check_op_available } from '@kustodian/plugin-1password';
+
+// Check CLI availability
+const check = await check_op_available();
+if (check.success) {
+  console.log(`1Password CLI version: ${check.value}`);
+}
+
+// Read a single secret
+const secret = await op_read('op://vault/item/field');
+
+// Read multiple secrets
+const secrets = await op_read_batch([
+  'op://vault/item/username',
+  'op://vault/item/password',
+]);
+```
+
+### Secret Reference Format
+
+Secrets are referenced using the standard 1Password URI format:
+
+```
+op://vault/item/field
+op://vault/item/section/field
+```
+
+## Configuration Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `service_account_token` | `string` | `undefined` | Service account token (can also use `OP_SERVICE_ACCOUNT_TOKEN` env var) |
+| `timeout` | `number` | `30000` | CLI operation timeout in milliseconds |
+| `fail_on_missing` | `boolean` | `true` | Whether to fail when a secret is not found |
+
+## CLI Commands
+
+The plugin provides CLI commands when registered with Kustodian:
+
+- `1password check` - Verify CLI availability and authentication
+- `1password test <ref>` - Test reading a secret reference
+
+## License
+
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kustodian/plugin-1password",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "1Password secret provider plugin for Kustodian",
   "type": "module",
   "main": "./src/index.ts",
@@ -37,9 +37,9 @@
     "registry": "https://npm.pkg.github.com"
   },
   "dependencies": {
-    "@kustodian/core": "workspace:*",
-    "@kustodian/plugins": "workspace:*",
-    "@kustodian/schema": "workspace:*"
+    "@kustodian/core": "1.1.0",
+    "@kustodian/plugins": "1.0.1",
+    "@kustodian/schema": "1.3.0"
   },
   "devDependencies": {}
 }

package/src/resolver.ts

@@ -7,6 +7,7 @@ import type { OnePasswordPluginOptionsType } from './types.js';
 
 /**
  * Resolves 1Password substitutions to actual secret values.
+ * Supports both full references and shorthand with cluster defaults.
  * Returns a map from substitution name to resolved value.
  */
 export async function resolve_onepassword_substitutions(
@@ -20,7 +21,36 @@ export async function resolve_onepassword_substitutions(
   const results: Record<string, string> = {};
 
   for (const sub of substitutions) {
-    const result = await op_read(sub.ref, options);
+    // Build the reference string
+    let ref: string;
+
+    if (sub.ref) {
+      // Full reference provided
+      ref = sub.ref;
+    } else if (sub.item && sub.field) {
+      // Shorthand reference - need cluster vault
+      const vault = options.cluster_defaults?.vault;
+      if (!vault) {
+        return failure({
+          code: 'MISSING_1PASSWORD_VAULT',
+          message: `1Password substitution '${sub.name}' uses shorthand but no cluster vault configured`,
+        });
+      }
+
+      // Build op:// reference
+      if (sub.section) {
+        ref = `op://${vault}/${sub.item}/${sub.section}/${sub.field}`;
+      } else {
+        ref = `op://${vault}/${sub.item}/${sub.field}`;
+      }
+    } else {
+      return failure({
+        code: 'INVALID_1PASSWORD_REFERENCE',
+        message: `1Password substitution '${sub.name}' must specify either 'ref' or 'item'+'field'`,
+      });
+    }
+
+    const result = await op_read(ref, options);
 
     if (!result.success) {
       // If we have a default and fail_on_missing is false, use the default

package/src/types.ts

@@ -1,3 +1,11 @@
+/**
+ * Cluster-level 1Password defaults.
+ */
+export interface OnePasswordClusterDefaultsType {
+  /** Default vault name or ID */
+  vault?: string | undefined;
+}
+
 /**
  * Options for the 1Password plugin.
  */
@@ -8,6 +16,8 @@ export interface OnePasswordPluginOptionsType {
   timeout?: number | undefined;
   /** Whether to fail on missing secrets (default: true) */
   fail_on_missing?: boolean | undefined;
+  /** Cluster-level defaults for vault */
+  cluster_defaults?: OnePasswordClusterDefaultsType | undefined;
 }
 
 /**
@@ -37,20 +47,31 @@ export function parse_onepassword_ref(ref: string): OnePasswordRefType | undefin
     return undefined;
   }
 
-  const [, vault, item, section, field] = match;
+  const vault = match[1];
+  const item = match[2];
+  const section = match[3];
+  const field = match[4];
 
   // If section is undefined, the field is in position 3
   if (field === undefined) {
+    // When there's no section, match[3] contains the field
+    if (!vault || !item || !section) {
+      return undefined;
+    }
     return {
-      vault: vault!,
-      item: item!,
-      field: section!,
+      vault,
+      item,
+      field: section,
     };
   }
 
+  if (!vault || !item || !field) {
+    return undefined;
+  }
+
   return {
-    vault: vault!,
-    item: item!,
+    vault,
+    item,
     section,
     field,
   };