From d6d67067c31c145bf0714730e4afa3d764943549 Mon Sep 17 00:00:00 2001 From: Robert Detjens Date: Thu, 5 Feb 2026 14:16:02 -0800 Subject: [PATCH 1/2] Fetch Opensearch 1P service account token for 1P Jenkins plugin This secret is originally from the Opensearch account Shared vault, but has been copied to the LF account Release Engineering vault so that it can be automatically rotated by the existing ESO. (This doesn't make sense to set up as its own second ESO store, since the cluster will not be fetching any other secrets from the Opensearch vault; the 1Password Jenkins plugin will be doing the fetching from the jobs which does not involve the cluster ESO) Signed-off-by: Robert Detjens --- .../templates/opensearch-1password-token.yaml | 15 +++++++++++++++ production/values.yaml | 18 ++++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 base/jenkins/templates/opensearch-1password-token.yaml diff --git a/base/jenkins/templates/opensearch-1password-token.yaml b/base/jenkins/templates/opensearch-1password-token.yaml new file mode 100644 index 0000000..4b1df68 --- /dev/null +++ b/base/jenkins/templates/opensearch-1password-token.yaml @@ -0,0 +1,15 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: opensearch-1password-sa-token + namespace: {{ template "jenkins.namespace" . }} +spec: + secretStoreRef: + kind: SecretStore + name: onepassword-releng + target: + creationPolicy: Owner + data: + - secretKey: token + remoteRef: + key: "Opensearch 1Password Service Account token/credential" diff --git a/production/values.yaml b/production/values.yaml index 204c0eb..daf3076 100644 --- a/production/values.yaml +++ b/production/values.yaml @@ -398,20 +398,34 @@ jenkins: - name: SAML_LOGOUT_URL value: "https://sso.linuxfoundation.org/samlp/BLgSYAt8E0oXf5EJSWxeuAnUP2JZUg46/logout" - # 1Password Service Account Token (ESO-managed) + # LF Releng 1Password Service Account Token - name: ONEPASSWORD_SA_TOKEN valueFrom: secretKeyRef: name: onepassword-sa-token key: token - # 1Password CLI Service Account Token (required by 1Password CLI) + # LF Releng 1Password CLI Service Account Token - name: OP_SERVICE_ACCOUNT_TOKEN valueFrom: secretKeyRef: name: onepassword-sa-token key: token + # Opensearch 1Password Service Account Token (ESO-managed from 1Password) + - name: OPENSEARCH_ONEPASSWORD_SA_TOKEN + valueFrom: + secretKeyRef: + name: opensearch-onepassword-sa-token + key: token + + # Opensearch 1Password CLI Service Account Token (ESO-managed from 1Password) + - name: OPENSEARCH_OP_SERVICE_ACCOUNT_TOKEN + valueFrom: + secretKeyRef: + name: opensearch-onepassword-sa-token + key: token + # EC2 SSH Private Key (ESO-managed from 1Password) - name: OPENSEARCH_EC2_PRIVATE_KEY valueFrom: From ed5ce2064067537a17d5f9fb2a1e49d954c46554 Mon Sep 17 00:00:00 2001 From: Robert Detjens Date: Thu, 5 Feb 2026 14:29:52 -0800 Subject: [PATCH 2/2] Remove duplicated 1P service account envvar The `op` cli is not used by the Jenkins controller and this token is only used by the JCASC to configure the plugin. The jobs that fetch 1P secrets get the token from the plugin config not this envvar. Signed-off-by: Robert Detjens --- production/values.yaml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/production/values.yaml b/production/values.yaml index daf3076..59ab9cf 100644 --- a/production/values.yaml +++ b/production/values.yaml @@ -405,13 +405,6 @@ jenkins: name: onepassword-sa-token key: token - # LF Releng 1Password CLI Service Account Token - - name: OP_SERVICE_ACCOUNT_TOKEN - valueFrom: - secretKeyRef: - name: onepassword-sa-token - key: token - # Opensearch 1Password Service Account Token (ESO-managed from 1Password) - name: OPENSEARCH_ONEPASSWORD_SA_TOKEN valueFrom: @@ -419,13 +412,6 @@ jenkins: name: opensearch-onepassword-sa-token key: token - # Opensearch 1Password CLI Service Account Token (ESO-managed from 1Password) - - name: OPENSEARCH_OP_SERVICE_ACCOUNT_TOKEN - valueFrom: - secretKeyRef: - name: opensearch-onepassword-sa-token - key: token - # EC2 SSH Private Key (ESO-managed from 1Password) - name: OPENSEARCH_EC2_PRIVATE_KEY valueFrom: