Fix 1Password Connect credentials format

The OP_SESSION env var expects base64-encoded credentials.
Updated secret template to use credentials-base64 field.

Also updated 1Password item instructions to include adding
the base64-encoded credentials.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

argocd/manifests/1password-connect/secret-credentials.yaml.tpl

@@ -8,9 +8,15 @@
 # 1. Create Connect server: op connect server create blumeops --vaults blumeops
 # 2. Create token: op connect token create blumeops --server <server-id> --vault blumeops
 # 3. Create 1Password item "1Password Connect" in blumeops vault with:
-#    - credentials-file: contents of 1password-credentials.json (NOT base64 encoded)
+#    - credentials-file: contents of 1password-credentials.json (raw JSON)
+#    - credentials-base64: base64-encoded contents of 1password-credentials.json
 #    - token: the access token
 #
+#    To add credentials-base64 to existing item:
+#      CREDS=$(op item get "1Password Connect" --vault blumeops --format json | \
+#        jq -r '.fields[] | select(.label == "credentials-file") | .value' | base64)
+#      op item edit "1Password Connect" --vault blumeops "credentials-base64=$CREDS"
+#
 # Usage:
 #   kubectl --context=minikube-indri create namespace 1password
 #   op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
@@ -23,8 +29,8 @@ metadata:
   namespace: 1password
 type: Opaque
 stringData:
-  1password-credentials.json: |
-    {{ op://blumeops/1Password Connect/credentials-file }}
+  # OP_SESSION env var expects base64-encoded credentials
+  1password-credentials.json: "{{ op://blumeops/1Password Connect/credentials-base64 }}"
 ---
 apiVersion: v1
 kind: Secret