Document op read vs op item get convention (#143)
## Summary - Adds guidance to CLAUDE.md: use `op read` for secret values, `op item get` only for metadata - Fixes the argocd login example which used `op item get --fields` - `op item get --fields` wraps multi-line values in quotes, which corrupts keys and other secrets Discovered while verifying the sifaka borg repokey in 1Password — hashes didn't match until we switched to `op read`. Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/143
This commit is contained in:
parent
d045a5d76a
commit
0d5f48e2c2
2 changed files with 4 additions and 1 deletions
|
|
@ -53,7 +53,7 @@ Most services run in minikube on indri via ArgoCD (app-of-apps, manual sync).
|
|||
|
||||
**Commands:** `argocd app list|get|diff|sync <app>`
|
||||
|
||||
**Login:** `argocd login argocd.ops.eblu.me --username admin --password "$(op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get srogeebssulhtb6tnqd7ls6qey --fields password --reveal)"`
|
||||
**Login:** `argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"`
|
||||
|
||||
### Indri (Ansible)
|
||||
|
||||
|
|
@ -95,3 +95,5 @@ mise run blumeops-tasks # fetch from Todoist, sorted by priority
|
|||
## Credentials
|
||||
|
||||
Root store is 1Password. Never grab directly - use existing patterns (ansible pre_tasks, external-secrets, scripts with `op` CLI). Warn user before any credential access.
|
||||
|
||||
**`op read` vs `op item get`:** Always use `op read "op://vault/item/field"` to retrieve secret values. `op item get --fields` wraps multi-line values in quotes, corrupting them. Use `op item get` only for listing item metadata (title, vault, field names), never for reading actual secret values in scripts or IaC. Look for existing uses of `op item get --fields` in Ansible/scripts and suggest replacing with `op read`.
|
||||
|
|
|
|||
1
docs/changelog.d/docs-op-read-convention.doc.md
Normal file
1
docs/changelog.d/docs-op-read-convention.doc.md
Normal file
|
|
@ -0,0 +1 @@
|
|||
Document `op read` vs `op item get` convention for 1Password secret retrieval
|
||||
Loading…
Add table
Add a link
Reference in a new issue