diff --git a/CLAUDE.md b/CLAUDE.md index 9390944..6f255b8 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -96,4 +96,4 @@ mise run blumeops-tasks # fetch from Todoist, sorted by priority Root store is 1Password. Never grab directly - use existing patterns (ansible pre_tasks, external-secrets, scripts with `op` CLI). Warn user before any credential access. -**`op read` vs `op item get`:** Always use `op read "op://vault/item/field"` to retrieve secret values. `op item get --fields` wraps multi-line values in quotes, corrupting them. Use `op item get` only for listing item metadata (title, vault, field names), never for reading actual secret values in scripts or IaC. Look for existing uses of `op item get --fields` in Ansible/scripts and suggest replacing with `op read`. +Prefer `op read "op://vault/item/field"` over `op item get --fields` to avoid quoting issues with multi-line values. diff --git a/argocd/apps/teslamate.yaml b/argocd/apps/teslamate.yaml index 6165b8e..60247da 100644 --- a/argocd/apps/teslamate.yaml +++ b/argocd/apps/teslamate.yaml @@ -8,8 +8,8 @@ # op inject -i argocd/manifests/teslamate/secret-db.yaml.tpl | kubectl apply -f - # # Then create the database: -# PGPASSWORD=$(op --vault blumeops item get --fields password --reveal) \ -# psql -h pg.tail8d86e.ts.net -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;" +# PGPASSWORD=$(op read "op://blumeops/postgres/password") \ +# psql -h pg.ops.eblu.me -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;" # # After syncing, access the TeslaMate UI at https://tesla.tail8d86e.ts.net to complete # Tesla API authentication via OAuth flow. diff --git a/argocd/manifests/databases/README.md b/argocd/manifests/databases/README.md index b5794d2..be7fc2e 100644 --- a/argocd/manifests/databases/README.md +++ b/argocd/manifests/databases/README.md @@ -54,7 +54,7 @@ After the cluster is healthy: psql -h k8s-pg.tail8d86e.ts.net -U eblume -W -d miniflux # Or with password from 1Password -PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \ +PGPASSWORD=$(op read "op://blumeops/guxu3j7ajhjyey6xxl2ovsl2ui/password") \ psql -h k8s-pg.tail8d86e.ts.net -U eblume -d miniflux # Get miniflux app credentials (for applications) @@ -73,7 +73,7 @@ Alternative if Tailscale service is unavailable: kubectl -n databases port-forward svc/blumeops-pg-rw 5432:5432 # Terminal 2: Connect as eblume -PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \ +PGPASSWORD=$(op read "op://blumeops/guxu3j7ajhjyey6xxl2ovsl2ui/password") \ psql -h localhost -U eblume -d miniflux ``` diff --git a/argocd/manifests/teslamate/README.md b/argocd/manifests/teslamate/README.md index 65875e4..7e1f9fc 100644 --- a/argocd/manifests/teslamate/README.md +++ b/argocd/manifests/teslamate/README.md @@ -36,8 +36,8 @@ op inject -i argocd/manifests/teslamate/secret-db.yaml.tpl | kubectl apply -f - After the teslamate user exists in PostgreSQL (sync blumeops-pg first): ```bash -PGPASSWORD=$(op --vault blumeops item get --fields password --reveal) \ - psql -h pg.tail8d86e.ts.net -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;" +PGPASSWORD=$(op read "op://blumeops/postgres/password") \ + psql -h pg.ops.eblu.me -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;" ``` ## Deployment diff --git a/docs/how-to/gandi-operations.md b/docs/how-to/gandi-operations.md index 138eed2..83b4bd4 100644 --- a/docs/how-to/gandi-operations.md +++ b/docs/how-to/gandi-operations.md @@ -32,7 +32,7 @@ Both tasks fetch the Gandi PAT from 1Password automatically. To run Pulumi directly: ```bash -export GANDI_PERSONAL_ACCESS_TOKEN=$(op item get mco6ka3dc3rmw7zkg2dhia5d2m --field pat --reveal --vault vg6xf6vvfmoh5hqjjhlhbeoaie) +export GANDI_PERSONAL_ACCESS_TOKEN=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat") cd pulumi/gandi pulumi preview pulumi up --yes diff --git a/docs/how-to/troubleshooting.md b/docs/how-to/troubleshooting.md index 24bc1e7..567b9e7 100644 --- a/docs/how-to/troubleshooting.md +++ b/docs/how-to/troubleshooting.md @@ -69,7 +69,7 @@ kubectl --context=minikube-indri -n get pods --field-selector=status **ArgoCD login expired:** ```bash -argocd login argocd.ops.eblu.me --username admin --password "$(op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get srogeebssulhtb6tnqd7ls6qey --fields password --reveal)" +argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')" ``` ### kubectl connection refused diff --git a/pulumi/gandi/README.md b/pulumi/gandi/README.md index d8d30d9..9d7b7aa 100644 --- a/pulumi/gandi/README.md +++ b/pulumi/gandi/README.md @@ -70,7 +70,7 @@ mise run dns-preview # Preview only Or manually: ```bash -export GANDI_PERSONAL_ACCESS_TOKEN=$(op item get mco6ka3dc3rmw7zkg2dhia5d2m --field pat --reveal --vault vg6xf6vvfmoh5hqjjhlhbeoaie) +export GANDI_PERSONAL_ACCESS_TOKEN=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat") pulumi up ```