From d02bf062af2cd3a867cd5c4da17686ae0806fa0b Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Fri, 22 May 2026 21:29:11 -0700 Subject: [PATCH] C0: review 1password reference card Added vault split (blumeops vs Personal), noted onepassword-connect runs on both indri and ringtail, and lifted op CLI guidance from agent memory into the card. Bumped last-reviewed. --- docs/changelog.d/+review-1password-doc.doc.md | 1 + docs/reference/services/1password.md | 37 ++++++++++++------- 2 files changed, 24 insertions(+), 14 deletions(-) create mode 100644 docs/changelog.d/+review-1password-doc.doc.md diff --git a/docs/changelog.d/+review-1password-doc.doc.md b/docs/changelog.d/+review-1password-doc.doc.md new file mode 100644 index 0000000..bba9591 --- /dev/null +++ b/docs/changelog.d/+review-1password-doc.doc.md @@ -0,0 +1 @@ +Reviewed [[1password]] reference card: added the `blumeops` vs `Personal` vault split, noted that `onepassword-connect` runs on both indri and ringtail (not just one cluster), and pulled the `op read` vs `op item get --fields` guidance up from agent memory into the card. diff --git a/docs/reference/services/1password.md b/docs/reference/services/1password.md index 4489194..5ad50da 100644 --- a/docs/reference/services/1password.md +++ b/docs/reference/services/1password.md @@ -1,6 +1,7 @@ --- title: 1Password -modified: 2026-02-10 +modified: 2026-05-22 +last-reviewed: 2026-05-22 tags: - service - secrets @@ -8,15 +9,22 @@ tags: # 1Password -Root credential store for all BlumeOps secrets, synced to Kubernetes via External Secrets Operator. +Root credential store for all BlumeOps secrets. Kubernetes workloads read items via [[external-secrets|External Secrets Operator]]; humans and agents read via the `op` CLI. -## Architecture +## Vaults + +| Vault | Purpose | +|-------|---------| +| `blumeops` | Infrastructure secrets — referenced by ExternalSecret manifests and scripts. | +| `Personal` | Human login credentials keyed by URL for autofill. Not consumed by infrastructure. | + +## Kubernetes Integration ``` 1Password Cloud | v -1Password Connect (namespace: 1password) +1Password Connect (namespace: 1password, deployed on both indri and ringtail) | v External Secrets Operator (namespace: external-secrets) @@ -25,15 +33,15 @@ External Secrets Operator (namespace: external-secrets) Native Kubernetes Secrets ``` -## Vault +**ClusterSecretStore:** `onepassword-blumeops` (same name on both clusters). -The `blumeops` vault contains all infrastructure credentials. +Services reference 1Password items via `ExternalSecret` manifests. Both `minikube-indri` and `k3s-ringtail` run their own `onepassword-connect` deployment talking to the same vault. -## Kubernetes Integration +## Direct Access -**ClusterSecretStore:** `onepassword-blumeops` +Prefer `op read "op://vault/item/field"` over `op item get --fields` in scripts and IaC — `op item get --fields` wraps multi-line values in quotes, corrupting them. `op item get` without flags is fine for exploring item metadata. -Services reference 1Password items via `ExternalSecret` manifests. +If an item name contains special characters (e.g. parentheses), use the item ID instead of the name in the `op://` path. ## Disaster Recovery Backup @@ -41,8 +49,9 @@ The `mise run op-backup` task encrypts a `.1pux` vault export and transfers it t ## Related -- [[argocd]] - Uses secrets for git access -- [[postgresql]] - Database credentials -- [[run-1password-backup]] - Periodic backup procedure -- [[restore-1password-backup]] - Recovery from backup -- [[borgmatic]] - Backup system +- [[external-secrets]] — Kubernetes operator that consumes ClusterSecretStore +- [[argocd]] — Uses secrets for git access +- [[postgresql]] — Database credentials +- [[run-1password-backup]] — Periodic backup procedure +- [[restore-1password-backup]] — Recovery from backup +- [[borgmatic]] — Backup system