Skip to content

Secret Resolution Flow

This module glues the OctoDNS Metaname provider to the shared OpsDev.nz 1Password helpers delivered by the op_opsdevnz package. The diagram below shows how secrets are resolved in both local development and CI.

flowchart TD
    subgraph OctoDNS
        A[octodns_metaname.secrets.get_secret]
        B{_secret_resolver?}
        A --> B
    end
    B -- configured --> C[op_opsdevnz.octodns_hooks.resolve]
    B -- not set --> ENV[Environment<br/>variables]
    ENV -->|plain value| DONE
    C -->|has ref| D[op_opsdevnz.onepassword.get_secret]
    C -->|no ref| LOOKUP[Lookup NAME_REF env var]
    LOOKUP --> D
    subgraph OP1Password["1Password Helper<br/>(op_opsdevnz.onepassword)"]
        D -->|Service Account token| SA[Connect/Service Account API]
        D -->|fallback| CLI[`op` CLI via session]
    end
    SA --> DONE[Secret value]
    CLI --> DONE

Local development

  • Developers usually export the Metaname references (*_REF) from an env file, e.g. env/metaname-test-opstest.env.
  • octodns_metaname.secrets.get_secret passes the secret name and reference to op_opsdevnz.octodns_hooks.resolve.
  • The resolver calls op_opsdevnz.onepassword.get_secret(..., prefer_cli=True), which tries to use the local op CLI session first. This supports personal vault access without needing the service-account secrets.
  • If the CLI is unavailable, the helper still attempts the service-account flow when the required OP_SERVICE_ACCOUNT_TOKEN (or similar) is present, so CI-like automation can run locally.
  • Direct environment overrides (e.g. METANAME_API_TOKEN=...) short-circuit the resolver, which is handy for testing without touching 1Password.

CI/CD pipeline

  • Pipelines set OCTODNS_METANAME_SECRET_RESOLVER="op_opsdevnz.octodns_hooks:resolve" before invoking OctoDNS commands.
  • They inject *_REF variables alongside the 1Password service-account token (usually provided via OP_SERVICE_ACCOUNT_TOKEN or the Connect server).
  • When get_secret runs in CI, op_opsdevnz.onepassword.get_secret detects the service-account token and fetches the secret directly from 1Password. The CLI fallback is skipped because no interactive session is available.
  • Any failure to resolve a secret raises octodns_metaname.secrets.MissingSecret so the job fails fast instead of deploying with missing credentials.

Keeping flows aligned

octodns_metaname delegates secret lookups to the same 1Password helper used by the rest of the OpsDev.nz tooling. By pointing OctoDNS at op_opsdevnz.octodns_hooks.resolve we avoid bespoke credential handling inside provider code and keep the local and CI authentication flows aligned.