The OP_SESSION env var expects base64-encoded credentials.
Updated secret template to use credentials-base64 field.
Also updated 1Password item instructions to include adding
the base64-encoded credentials.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update ClusterSecretStore to use v1 API (not v1beta1)
- Update devpi ExternalSecret to use v1 API
- Add external-secrets-crds app to install CRDs with ServerSideApply
(Helm chart CRDs are auto-generated during packaging, not in raw git)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Merge allows ESO to take over an existing secret without
requiring deletion first, preventing service disruption.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Converts devpi secret from manual op inject to ExternalSecret.
This validates the 1Password Connect + ESO workflow.
The secret-root.yaml.tpl template is kept for reference but
the ExternalSecret will now manage the devpi-root secret.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Deploys ESO to sync secrets from 1Password to native K8s Secrets.
Replaces manual `op inject` workflow with declarative ExternalSecrets.
Includes:
- ArgoCD Application for ESO operator (helm-chart-1.3.1)
- Separate config app for ClusterSecretStore
- ClusterSecretStore connecting to 1Password Connect
- Helm values with resource limits for minikube
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Deploys 1Password Connect to provide REST API access to vault items.
This enables External Secrets Operator to sync secrets from 1Password.
Includes:
- ArgoCD Application using Helm chart (connect-2.2.1)
- Bootstrap secret template for credentials
- Helm values with resource limits for minikube
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
