Migrate 1Password Connect from Helm to kustomize (1.8.1 → 1.8.2) (#326)

## Summary

- Renders manifests from `connect-helm-charts v2.4.1` as plain kustomize (deployment + service)
- Bumps 1Password Connect from 1.8.1 → 1.8.2
- Completes the no-helm-policy migration — all services now use kustomize
- Retains all production hardening from the Helm chart (securityContext, runAsNonRoot, drop ALL, seccomp, resource limits)

## Changes

- **New:** `deployment.yaml`, `service.yaml`, `kustomization.yaml` in `argocd/manifests/1password-connect/`
- **Rewritten:** Both ArgoCD app definitions (indri + ringtail) — single source kustomize instead of multi-source Helm
- **Deleted:** `values.yaml` (Helm values no longer needed)
- **Updated:** `no-helm-policy.md`, `service-versions.yaml`, `README.md`

## Deployment plan

1. Sync `apps` app to pick up the new app definitions
2. `argocd app set 1password-connect --revision 1password-connect-kustomize`
3. `argocd app sync 1password-connect` — verify on indri
4. Repeat for ringtail
5. After merge: reset revision to main, re-sync both

## Test plan

- [ ] `kubectl kustomize` renders cleanly (verified locally)
- [ ] ArgoCD diff shows expected changes (Helm labels removed, images bumped)
- [ ] Pods come up healthy on indri
- [ ] External Secrets still resolves 1Password items
- [ ] Repeat on ringtail

Reviewed-on: #326

argocd/apps/1password-connect-ringtail.yaml

@@ -1,5 +1,5 @@
 # 1Password Connect for ringtail k3s cluster
-# Same chart/values as indri, different destination
+# Same manifests as indri, different destination
 #
 # Prerequisites:
 # 1. Bootstrap secrets via ansible (provision-ringtail creates 1password namespace,
@@ -13,17 +13,10 @@ metadata:
   namespace: argocd
 spec:
   project: default
-  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/connect-helm-charts.git
-      targetRevision: connect-2.3.0
-      path: charts/connect
-      helm:
-        releaseName: onepassword-connect
-        valueFiles:
-          - $values/argocd/manifests/1password-connect/values.yaml
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
-      targetRevision: main
-      ref: values
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/1password-connect
   destination:
     server: https://ringtail.tail8d86e.ts.net:6443
     namespace: 1password

argocd/apps/1password-connect.yaml

@@ -1,7 +1,7 @@
 # 1Password Connect - Secrets Automation Server
 # Provides REST API access to 1Password vault items for External Secrets Operator
 #
-# Chart mirrored from https://github.com/1Password/connect-helm-charts
+# Manifests rendered from connect-helm-charts v2.4.1, maintained as plain kustomize.
 #
 # Prerequisites (one-time setup):
 # 1. Create Connect server: op connect server create blumeops --vaults blumeops
@@ -19,17 +19,10 @@ metadata:
   namespace: argocd
 spec:
   project: default
-  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/connect-helm-charts.git
-      targetRevision: connect-2.3.0
-      path: charts/connect
-      helm:
-        releaseName: onepassword-connect
-        valueFiles:
-          - $values/argocd/manifests/1password-connect/values.yaml
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
-      targetRevision: main
-      ref: values
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/1password-connect
   destination:
     server: https://kubernetes.default.svc
     namespace: 1password

argocd/manifests/1password-connect/README.md

@@ -55,6 +55,15 @@ op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
   kubectl --context=minikube-indri apply -f -
 ```
 
+## Version Management
+
+Image versions are pinned in `kustomization.yaml` via `images[].newTag`. To upgrade:
+
+1. Update `newTag` for both `1password/connect-api` and `1password/connect-sync`
+2. Sync via ArgoCD
+
+The manifests were rendered from `connect-helm-charts v2.4.1` and are maintained as plain kustomize.
+
 ## Deployment
 
 ```bash

argocd/manifests/1password-connect/deployment.yaml

@@ -0,0 +1,131 @@
+# Rendered from connect-helm-charts v2.4.1 with blumeops values, then de-Helmed.
+# Image tags managed by kustomization.yaml images[] — do not edit here.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: onepassword-connect
+  namespace: 1password
+  labels:
+    app.kubernetes.io/component: connect
+    app.kubernetes.io/name: connect
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: onepassword-connect
+  template:
+    metadata:
+      labels:
+        app: onepassword-connect
+        app.kubernetes.io/component: connect
+    spec:
+      securityContext:
+        fsGroup: 999
+        runAsGroup: 999
+        runAsNonRoot: true
+        runAsUser: 999
+        seccompProfile:
+          type: RuntimeDefault
+      volumes:
+        - name: shared-data
+          emptyDir: {}
+        - name: credentials
+          secret:
+            secretName: op-credentials
+            items:
+              - key: 1password-credentials.json
+                path: 1password-credentials.json
+      containers:
+        - name: connect-api
+          image: 1password/connect-api:kustomized
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 64Mi
+          env:
+            - name: OP_SESSION
+              value: /home/opuser/.op/1password-credentials.json
+            - name: OP_BUS_PORT
+              value: "11220"
+            - name: OP_BUS_PEERS
+              value: localhost:11221
+            - name: OP_HTTP_PORT
+              value: "8080"
+            - name: OP_LOG_LEVEL
+              value: "info"
+          readinessProbe:
+            httpGet:
+              path: /health
+              scheme: HTTP
+              port: 8080
+            initialDelaySeconds: 15
+          livenessProbe:
+            httpGet:
+              path: /heartbeat
+              scheme: HTTP
+              port: 8080
+            failureThreshold: 3
+            periodSeconds: 30
+            initialDelaySeconds: 15
+          volumeMounts:
+            - mountPath: /home/opuser/.op/data
+              name: shared-data
+            - name: credentials
+              mountPath: /home/opuser/.op/1password-credentials.json
+              subPath: 1password-credentials.json
+        - name: connect-sync
+          image: 1password/connect-sync:kustomized
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 64Mi
+          env:
+            - name: OP_HTTP_PORT
+              value: "8081"
+            - name: OP_SESSION
+              value: /home/opuser/.op/1password-credentials.json
+            - name: OP_BUS_PORT
+              value: "11221"
+            - name: OP_BUS_PEERS
+              value: localhost:11220
+            - name: OP_LOG_LEVEL
+              value: "info"
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8081
+            initialDelaySeconds: 15
+          livenessProbe:
+            httpGet:
+              path: /heartbeat
+              port: 8081
+              scheme: HTTP
+            failureThreshold: 3
+            periodSeconds: 30
+            initialDelaySeconds: 15
+          volumeMounts:
+            - mountPath: /home/opuser/.op/data
+              name: shared-data
+            - name: credentials
+              mountPath: /home/opuser/.op/1password-credentials.json
+              subPath: 1password-credentials.json

argocd/manifests/1password-connect/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: 1password
+
+resources:
+  - deployment.yaml
+  - service.yaml
+
+images:
+  - name: 1password/connect-api
+    newTag: "1.8.2"
+  - name: 1password/connect-sync
+    newTag: "1.8.2"

argocd/manifests/1password-connect/service.yaml

@@ -0,0 +1,18 @@
+# Rendered from connect-helm-charts v2.4.1, then de-Helmed.
+apiVersion: v1
+kind: Service
+metadata:
+  name: onepassword-connect
+  namespace: 1password
+  labels:
+    app.kubernetes.io/component: connect
+    app.kubernetes.io/name: connect
+spec:
+  type: ClusterIP
+  selector:
+    app: onepassword-connect
+  ports:
+    - port: 8081
+      name: connect-sync
+    - port: 8080
+      name: connect-api

argocd/manifests/1password-connect/values.yaml

@@ -1,33 +0,0 @@
-# 1Password Connect Helm values for blumeops
-# Chart: https://github.com/1Password/connect-helm-charts
-#
-# The credentials are bootstrapped manually via secret-credentials.yaml.tpl
-# before deploying this chart.
-
-connect:
-  # Use pre-created credentials secret (from bootstrap)
-  credentialsKey: 1password-credentials.json
-  credentialsName: op-credentials
-
-  # Resource limits for minikube
-  api:
-    resources:
-      requests:
-        memory: "64Mi"
-        cpu: "50m"
-      limits:
-        memory: "256Mi"
-        cpu: "200m"
-
-  sync:
-    resources:
-      requests:
-        memory: "64Mi"
-        cpu: "50m"
-      limits:
-        memory: "256Mi"
-        cpu: "200m"
-
-# We don't use the 1Password Operator (using External Secrets instead)
-operator:
-  create: false

docs/changelog.d/1password-connect-kustomize.infra.md

@@ -0,0 +1 @@
+Migrate 1Password Connect from Helm to kustomize (1.8.1 → 1.8.2), completing the no-helm-policy migration.

docs/explanation/no-helm-policy.md

@@ -1,6 +1,6 @@
 ---
 title: No Helm Policy
-modified: 2026-04-04
+modified: 2026-04-06
 tags:
   - explanation
   - kubernetes
@@ -20,9 +20,7 @@ Kustomize overlays preserve the readability of plain YAML while providing the co
 
 ## Current State
 
-All services in blumeops use kustomize manifests except:
-
-- **1Password Connect** — still deployed via Helm chart (`connect-helm-charts v2.3.0`). Migration is a future goal.
+All services in blumeops use kustomize manifests. The last Helm dependency (1Password Connect) was migrated in 2026-04.
 
 ## Migration History
 
@@ -35,6 +33,7 @@ Services previously deployed via Helm that have been migrated to kustomize:
 | External Secrets | 2026-03 | Static manifests rendered from chart |
 | Homepage | 2026-02 | Replaced chart with plain manifests |
 | Immich | 2026-04 | Converted during v2.6.3 upgrade |
+| 1Password Connect | 2026-04 | Rendered from chart v2.4.1, bumped to 1.8.2 |
 
 ## Guidelines
 

service-versions.yaml

@@ -134,10 +134,10 @@ services:
 
   - name: 1password-connect
     type: argocd
-    last-reviewed: 2026-02-26
-    current-version: "1.8.1"
+    last-reviewed: 2026-04-06
+    current-version: "1.8.2"
     upstream-source: https://hub.docker.com/r/1password/connect-api/tags
-    notes: Deployed via Helm chart (chart v2.3.0)
+    notes: Kustomize manifests rendered from connect-helm-charts v2.4.1
 
   - name: argocd
     type: argocd