eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Doc review: connect-to-postgres, create-release-artifact-workflow, deploy-k8s-service #191

Merged
eblume merged 6 commits from docs/doc-review-feb-15-2026 into main 2026-02-15 07:42:01 -08:00
Conversation 0 Commits 6 Files changed 12 +10 -10
7 changed files with 10 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 6ce6a1329f - Show all commits

Replace remaining op item get calls with op read

Prev Next 
Migrate all remaining `op item get --fields` usage to `op read` URI
syntax across docs, READMEs, and YAML comments. Simplify the guidance
note in CLAUDE.md now that the migration is complete.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-15 07:36:55 -08:00
commit 6ce6a1329f

2
CLAUDE.md
View file

@ -96,4 +96,4 @@ mise run blumeops-tasks # fetch from Todoist, sorted by priority
Root store is 1Password. Never grab directly - use existing patterns (ansible pre_tasks, external-secrets, scripts with `op` CLI). Warn user before any credential access.
**`op read` vs `op item get`:** Always use `op read "op://vault/item/field"` to retrieve secret values. `op item get --fields` wraps multi-line values in quotes, corrupting them. Use `op item get` only for listing item metadata (title, vault, field names), never for reading actual secret values in scripts or IaC. Look for existing uses of `op item get --fields` in Ansible/scripts and suggest replacing with `op read`.
Prefer `op read "op://vault/item/field"` over `op item get --fields` to avoid quoting issues with multi-line values.

4
argocd/apps/teslamate.yaml
View file

@ -8,8 +8,8 @@
# op inject -i argocd/manifests/teslamate/secret-db.yaml.tpl | kubectl apply -f -
#
# Then create the database:
# PGPASSWORD=$(op --vault blumeops item get <eblume-item-id> --fields password --reveal) \
# psql -h pg.tail8d86e.ts.net -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
# PGPASSWORD=$(op read "op://blumeops/postgres/password") \
# psql -h pg.ops.eblu.me -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
#
# After syncing, access the TeslaMate UI at https://tesla.tail8d86e.ts.net to complete
# Tesla API authentication via OAuth flow.

4
argocd/manifests/databases/README.md
View file

@ -54,7 +54,7 @@ After the cluster is healthy:
psql -h k8s-pg.tail8d86e.ts.net -U eblume -W -d miniflux
# Or with password from 1Password
PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \
PGPASSWORD=$(op read "op://blumeops/guxu3j7ajhjyey6xxl2ovsl2ui/password") \
psql -h k8s-pg.tail8d86e.ts.net -U eblume -d miniflux
# Get miniflux app credentials (for applications)
@ -73,7 +73,7 @@ Alternative if Tailscale service is unavailable:
kubectl -n databases port-forward svc/blumeops-pg-rw 5432:5432
# Terminal 2: Connect as eblume
PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \
PGPASSWORD=$(op read "op://blumeops/guxu3j7ajhjyey6xxl2ovsl2ui/password") \
psql -h localhost -U eblume -d miniflux
```

4
argocd/manifests/teslamate/README.md
View file

@ -36,8 +36,8 @@ op inject -i argocd/manifests/teslamate/secret-db.yaml.tpl | kubectl apply -f -
After the teslamate user exists in PostgreSQL (sync blumeops-pg first):
```bash
PGPASSWORD=$(op --vault blumeops item get <eblume-item-id> --fields password --reveal) \
psql -h pg.tail8d86e.ts.net -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
PGPASSWORD=$(op read "op://blumeops/postgres/password") \
psql -h pg.ops.eblu.me -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
```
## Deployment

2
docs/how-to/gandi-operations.md
View file

@ -32,7 +32,7 @@ Both tasks fetch the Gandi PAT from 1Password automatically.
To run Pulumi directly:
```bash
export GANDI_PERSONAL_ACCESS_TOKEN=$(op item get mco6ka3dc3rmw7zkg2dhia5d2m --field pat --reveal --vault vg6xf6vvfmoh5hqjjhlhbeoaie)
export GANDI_PERSONAL_ACCESS_TOKEN=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat")
cd pulumi/gandi
pulumi preview
pulumi up --yes

2
docs/how-to/troubleshooting.md
View file

@ -69,7 +69,7 @@ kubectl --context=minikube-indri -n <namespace> get pods --field-selector=status
**ArgoCD login expired:**
```bash
argocd login argocd.ops.eblu.me --username admin --password "$(op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get srogeebssulhtb6tnqd7ls6qey --fields password --reveal)"
argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"
```
### kubectl connection refused

2
pulumi/gandi/README.md
View file

@ -70,7 +70,7 @@ mise run dns-preview # Preview only
Or manually:
```bash
export GANDI_PERSONAL_ACCESS_TOKEN=$(op item get mco6ka3dc3rmw7zkg2dhia5d2m --field pat --reveal --vault vg6xf6vvfmoh5hqjjhlhbeoaie)
export GANDI_PERSONAL_ACCESS_TOKEN=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat")
pulumi up
```