eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add External Secrets Operator with 1Password Connect (#66) #66

Merged
eblume merged 7 commits from feature/external-secrets into main 2026-01-28 19:30:11 -08:00
Conversation 0 Commits 7 Files changed 13 +456
eblume commented 2026-01-28 18:47:29 -08:00
Owner
Copy link

Summary

  • Add 1Password Connect server for secrets automation API
  • Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s
  • Add ClusterSecretStore connecting ESO to 1Password Connect
  • Convert devpi secret to ExternalSecret as proof of concept

Architecture

1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets

Deployment and Testing

  • Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE
  • Create 1Password Connect credentials (op connect server create)
  • Store credentials in 1Password item "1Password Connect"
  • Bootstrap secret: op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | kubectl apply -f -
  • Deploy 1password-connect: argocd app sync 1password-connect
  • Deploy external-secrets: argocd app sync external-secrets
  • Deploy external-secrets-config: argocd app sync external-secrets-config
  • Test devpi ExternalSecret: argocd app sync devpi
  • Verify secret synced: kubectl get externalsecret -n devpi

Future Work

After PoC validated, migrate remaining 12 secret templates to ExternalSecrets:

  • databases (3), tailscale-operator (1), grafana-config (2), teslamate (2)
  • forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap)

🤖 Generated with Claude Code

## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [x] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [x] Create 1Password Connect credentials (`op connect server create`) - [x] Store credentials in 1Password item "1Password Connect" - [x] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | kubectl apply -f -` - [x] Deploy 1password-connect: `argocd app sync 1password-connect` - [x] Deploy external-secrets: `argocd app sync external-secrets` - [x] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [x] Test devpi ExternalSecret: `argocd app sync devpi` - [x] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Deploys 1Password Connect to provide REST API access to vault items.
This enables External Secrets Operator to sync secrets from 1Password.

Includes:
- ArgoCD Application using Helm chart (connect-2.2.1)
- Bootstrap secret template for credentials
- Helm values with resource limits for minikube

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Deploys ESO to sync secrets from 1Password to native K8s Secrets.
Replaces manual `op inject` workflow with declarative ExternalSecrets.

Includes:
- ArgoCD Application for ESO operator (helm-chart-1.3.1)
- Separate config app for ClusterSecretStore
- ClusterSecretStore connecting to 1Password Connect
- Helm values with resource limits for minikube

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Converts devpi secret from manual op inject to ExternalSecret.
This validates the 1Password Connect + ESO workflow.

The secret-root.yaml.tpl template is kept for reference but
the ExternalSecret will now manage the devpi-root secret.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Merge allows ESO to take over an existing secret without
requiring deletion first, preventing service disruption.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update ClusterSecretStore to use v1 API (not v1beta1)
- Update devpi ExternalSecret to use v1 API
- Add external-secrets-crds app to install CRDs with ServerSideApply
  (Helm chart CRDs are auto-generated during packaging, not in raw git)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The OP_SESSION env var expects base64-encoded credentials.
Updated secret template to use credentials-base64 field.

Also updated 1Password item instructions to include adding
the base64-encoded credentials.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Migration validated successfully, ESO now fully owns the secret.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
eblume merged commit 482414346e into main 2026-01-28 19:30:11 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!66
No description provided.