blumeops/argocd/apps/1password-connect.yaml

# 1Password Connect - Secrets Automation Server
# Provides REST API access to 1Password vault items for External Secrets Operator
#
# Manifests rendered from connect-helm-charts v2.4.1, maintained as plain kustomize.
#
# Prerequisites (one-time setup):
# 1. Create Connect server: op connect server create blumeops --vaults blumeops
# 2. Create token: op connect token create blumeops --server <server-id> --vault blumeops
# 3. Store credentials in 1Password item "1Password Connect" in blumeops vault
# 4. Bootstrap secret:
#    kubectl --context=minikube-indri create namespace 1password
#    op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
#      kubectl --context=minikube-indri apply -f -
#
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: 1password-connect
  namespace: argocd
spec:
  project: default
  source:
    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
    targetRevision: main
    path: argocd/manifests/1password-connect
  destination:
    server: https://kubernetes.default.svc
    namespace: 1password
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
Add External Secrets Operator with 1Password Connect (#66) (#66) ## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66 2026-01-28 19:30:10 -08:00			`# 1Password Connect - Secrets Automation Server`
			`# Provides REST API access to 1Password vault items for External Secrets Operator`
			`#`
Migrate 1Password Connect from Helm to kustomize (1.8.1 → 1.8.2) (#326) ## Summary - Renders manifests from `connect-helm-charts v2.4.1` as plain kustomize (deployment + service) - Bumps 1Password Connect from 1.8.1 → 1.8.2 - Completes the no-helm-policy migration — all services now use kustomize - Retains all production hardening from the Helm chart (securityContext, runAsNonRoot, drop ALL, seccomp, resource limits) ## Changes - New: `deployment.yaml`, `service.yaml`, `kustomization.yaml` in `argocd/manifests/1password-connect/` - Rewritten: Both ArgoCD app definitions (indri + ringtail) — single source kustomize instead of multi-source Helm - Deleted: `values.yaml` (Helm values no longer needed) - Updated: `no-helm-policy.md`, `service-versions.yaml`, `README.md` ## Deployment plan 1. Sync `apps` app to pick up the new app definitions 2. `argocd app set 1password-connect --revision 1password-connect-kustomize` 3. `argocd app sync 1password-connect` — verify on indri 4. Repeat for ringtail 5. After merge: reset revision to main, re-sync both ## Test plan - [ ] `kubectl kustomize` renders cleanly (verified locally) - [ ] ArgoCD diff shows expected changes (Helm labels removed, images bumped) - [ ] Pods come up healthy on indri - [ ] External Secrets still resolves 1Password items - [ ] Repeat on ringtail Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/326 2026-04-06 07:31:40 -07:00			`# Manifests rendered from connect-helm-charts v2.4.1, maintained as plain kustomize.`
Add External Secrets Operator with 1Password Connect (#66) (#66) ## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66 2026-01-28 19:30:10 -08:00			`#`
			`# Prerequisites (one-time setup):`
			`# 1. Create Connect server: op connect server create blumeops --vaults blumeops`
			`# 2. Create token: op connect token create blumeops --server <server-id> --vault blumeops`
			`# 3. Store credentials in 1Password item "1Password Connect" in blumeops vault`
			`# 4. Bootstrap secret:`
			`# kubectl --context=minikube-indri create namespace 1password`
			`# op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| \`
			`# kubectl --context=minikube-indri apply -f -`
			`#`
			`apiVersion: argoproj.io/v1alpha1`
			`kind: Application`
			`metadata:`
			`name: 1password-connect`
			`namespace: argocd`
			`spec:`
			`project: default`
Migrate 1Password Connect from Helm to kustomize (1.8.1 → 1.8.2) (#326) ## Summary - Renders manifests from `connect-helm-charts v2.4.1` as plain kustomize (deployment + service) - Bumps 1Password Connect from 1.8.1 → 1.8.2 - Completes the no-helm-policy migration — all services now use kustomize - Retains all production hardening from the Helm chart (securityContext, runAsNonRoot, drop ALL, seccomp, resource limits) ## Changes - New: `deployment.yaml`, `service.yaml`, `kustomization.yaml` in `argocd/manifests/1password-connect/` - Rewritten: Both ArgoCD app definitions (indri + ringtail) — single source kustomize instead of multi-source Helm - Deleted: `values.yaml` (Helm values no longer needed) - Updated: `no-helm-policy.md`, `service-versions.yaml`, `README.md` ## Deployment plan 1. Sync `apps` app to pick up the new app definitions 2. `argocd app set 1password-connect --revision 1password-connect-kustomize` 3. `argocd app sync 1password-connect` — verify on indri 4. Repeat for ringtail 5. After merge: reset revision to main, re-sync both ## Test plan - [ ] `kubectl kustomize` renders cleanly (verified locally) - [ ] ArgoCD diff shows expected changes (Helm labels removed, images bumped) - [ ] Pods come up healthy on indri - [ ] External Secrets still resolves 1Password items - [ ] Repeat on ringtail Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/326 2026-04-06 07:31:40 -07:00			`source:`
			`repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git`
			`targetRevision: main`
			`path: argocd/manifests/1password-connect`
Add External Secrets Operator with 1Password Connect (#66) (#66) ## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66 2026-01-28 19:30:10 -08:00			`destination:`
			`server: https://kubernetes.default.svc`
			`namespace: 1password`
			`syncPolicy:`
			`syncOptions:`
			`- CreateNamespace=true`