eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Fix 1Password Connect credentials for chart 2.3.0

Browse source 
Chart 2.3.0 mounts credentials as a file with standard k8s base64
encoding. The old double-encoding workaround (credentials-base64 in
stringData) now produces invalid JSON. Use raw JSON (credentials-file)
instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-02-13 17:30:45 -08:00
commit b77ae19f20
2 changed files with 7 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

4
argocd/manifests/1password-connect/README.md
View file

@ -42,9 +42,11 @@ op connect token create blumeops --server <server-id> --vault blumeops
### 3. Store Credentials in 1Password
Create a new item "1Password Connect" in the blumeops vault with:
- `credentials-file` field: Paste the contents of `1password-credentials.json` (NOT base64 encoded)
- `credentials-file` field: Paste the contents of `1password-credentials.json` (raw JSON, NOT base64 encoded)
- `token` field: Paste the access token
> **Note:** Chart 2.3.0+ mounts credentials as a file with standard k8s base64 encoding. The old `credentials-base64` field is no longer needed.
### 4. Create Bootstrap Secret
```bash

12
argocd/manifests/1password-connect/secret-credentials.yaml.tpl
View file

@ -9,19 +9,16 @@
# 2. Create token: op connect token create blumeops --server <server-id> --vault blumeops
# 3. Create 1Password item "1Password Connect" in blumeops vault with:
# - credentials-file: contents of 1password-credentials.json (raw JSON)
# - credentials-base64: base64-encoded contents of 1password-credentials.json
# - token: the access token
#
# To add credentials-base64 to existing item:
# CREDS=$(op item get "1Password Connect" --vault blumeops --format json | \
# jq -r '.fields[] | select(.label == "credentials-file") | .value' | base64)
# op item edit "1Password Connect" --vault blumeops "credentials-base64=$CREDS"
#
# Usage:
# kubectl --context=minikube-indri create namespace 1password
# op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
# kubectl --context=minikube-indri apply -f -
#
# Note: chart 2.3.0+ mounts credentials as a file with standard k8s base64.
# Use raw JSON here (not pre-encoded); k8s stringData handles encoding.
#
apiVersion: v1
kind: Secret
metadata:
@ -29,8 +26,7 @@ metadata:
namespace: 1password
type: Opaque
stringData:
# OP_SESSION env var expects base64-encoded credentials
1password-credentials.json: "{{ op://blumeops/1Password Connect/credentials-base64 }}"
1password-credentials.json: "{{ op://blumeops/1Password Connect/credentials-file }}"
---
apiVersion: v1
kind: Secret