blumeops/docs/zk/external-secrets.md

---
id: external-secrets
aliases:
  - external-secrets
  - eso
  - external-secrets-operator
tags:
  - blumeops
---

# External Secrets Operator

External Secrets Operator (ESO) syncs secrets from 1Password to Kubernetes Secrets via 1Password Connect.

## Architecture

```
1Password Cloud
      |
      v
1Password Connect (namespace: 1password)
      |
      v
External Secrets Operator (namespace: external-secrets)
      |
      v
Native Kubernetes Secrets
```

## Usage

ClusterSecretStore `onepassword-blumeops` provides access to the blumeops vault. See `argocd/manifests/devpi/external-secret.yaml` for a simple example.

**Important:** 1Password Connect doesn't support the `?ssh-format=openssh` query parameter. SSH keys must be stored as Secure Notes with the OpenSSH-formatted key (see `argocd-forge-ssh-key` item).

```bash
# Check all ExternalSecrets
kubectl --context=minikube-indri get externalsecret -A

# Find 1Password field names
op item get <item> --vault blumeops --format json | jq '.fields[] | .label'
```

## Bootstrap (One-Time Setup)

If reinstalling from scratch:

1. Create Connect server credentials:
   ```bash
   op connect server create blumeops --vaults blumeops
   op connect token create blumeops --server <server-id> --vault blumeops
   ```

2. Store in 1Password item "1Password Connect":
   - `credentials-file`: raw JSON
   - `credentials-base64`: base64-encoded JSON
   - `token`: access token

3. Apply bootstrap secret:
   ```bash
   kubectl --context=minikube-indri create namespace 1password
   op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
     kubectl --context=minikube-indri apply -f -
   ```

4. Sync apps in order:
   - `argocd app sync 1password-connect`
   - `argocd app sync external-secrets-crds`
   - `argocd app sync external-secrets`
   - `argocd app sync external-secrets-config`

## Related

- [[1767747119-YCPO|BlumeOps]]
- [[argocd|ArgoCD]]
Add docs/ with blumeops zk cards (#82) ## Summary - Move 21 blumeops-tagged zettelkasten cards from ~/code/personal/zk/ to docs/ - Create symlink ~/code/personal/zk/blumeops -> blumeops/docs for obsidian integration - Update zk-docs mise task to read from local docs/ directory - Add blumeops workspace to obsidian.nvim config (strict=true) ## Benefits - Docs are now git-managed in the blumeops repo (visible on GitHub) - Wiki links between blumeops docs continue to work via symlink - obsidian-sync isolation: docs don't sync to work laptop - Direct editing via obsidian.nvim with dedicated workspace ## Testing - [x] Files moved to docs/ (21 files) - [x] Symlink created: ~/code/personal/zk/blumeops -> blumeops/docs - [x] zk-docs mise task updated and working - [ ] Verify obsidian.nvim link resolution (after merge) - [ ] Verify obsidian backlinks work 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/82 2026-02-02 21:40:53 -08:00			`---`
			`id: external-secrets`
			`aliases:`
			`- external-secrets`
			`- eso`
			`- external-secrets-operator`
			`tags:`
			`- blumeops`
			`---`

			`# External Secrets Operator`

			`External Secrets Operator (ESO) syncs secrets from 1Password to Kubernetes Secrets via 1Password Connect.`

			`## Architecture`

			```
			`1Password Cloud`
			`\|`
			`v`
			`1Password Connect (namespace: 1password)`
			`\|`
			`v`
			`External Secrets Operator (namespace: external-secrets)`
			`\|`
			`v`
			`Native Kubernetes Secrets`
			```

			`## Usage`

			ClusterSecretStore `onepassword-blumeops` provides access to the blumeops vault. See `argocd/manifests/devpi/external-secret.yaml` for a simple example.

			Important: 1Password Connect doesn't support the `?ssh-format=openssh` query parameter. SSH keys must be stored as Secure Notes with the OpenSSH-formatted key (see `argocd-forge-ssh-key` item).

			```bash
			`# Check all ExternalSecrets`
			`kubectl --context=minikube-indri get externalsecret -A`

			`# Find 1Password field names`
			`op item get <item> --vault blumeops --format json \| jq '.fields[] \| .label'`
			```

			`## Bootstrap (One-Time Setup)`

			`If reinstalling from scratch:`

			`1. Create Connect server credentials:`
			```bash
			`op connect server create blumeops --vaults blumeops`
			`op connect token create blumeops --server <server-id> --vault blumeops`
			```

			`2. Store in 1Password item "1Password Connect":`
			- `credentials-file`: raw JSON
			- `credentials-base64`: base64-encoded JSON
			- `token`: access token

			`3. Apply bootstrap secret:`
			```bash
			`kubectl --context=minikube-indri create namespace 1password`
			`op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| \`
			`kubectl --context=minikube-indri apply -f -`
			```

			`4. Sync apps in order:`
			- `argocd app sync 1password-connect`
			- `argocd app sync external-secrets-crds`
			- `argocd app sync external-secrets`
			- `argocd app sync external-secrets-config`

			`## Related`

			`- [[1767747119-YCPO\|BlumeOps]]`
			`- [[argocd\|ArgoCD]]`