Erich Blume
482414346e
## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66
2.5 KiB
2.5 KiB
External Secrets Operator
External Secrets Operator (ESO) syncs secrets from 1Password Connect to native Kubernetes Secrets.
Architecture
- ClusterSecretStore (
onepassword-blumeops): Cluster-wide access to 1Password via Connect - ExternalSecret (per-namespace): Defines which secrets to sync from 1Password
Prerequisites
1Password Connect must be deployed and healthy before syncing ESO.
Deployment
argocd app sync external-secrets
Verification
# Check operator pods
kubectl --context=minikube-indri -n external-secrets get pods
# Check ClusterSecretStore status
kubectl --context=minikube-indri get clustersecretstore onepassword-blumeops
# Check all ExternalSecrets across namespaces
kubectl --context=minikube-indri get externalsecret -A
Creating ExternalSecrets
To sync a secret from 1Password, create an ExternalSecret in the target namespace:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: my-secret
namespace: my-namespace
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-blumeops
target:
name: my-secret # Name of K8s Secret to create
creationPolicy: Owner # ESO owns and manages the Secret
data:
- secretKey: password # Key in the K8s Secret
remoteRef:
key: My 1Password Item # Title of item in 1Password
property: password # Field label in 1Password item
Finding 1Password Item Details
# List items in blumeops vault
op item list --vault blumeops
# Get field names for an item
op item get <item-id> --vault blumeops --format json | jq -r '.fields[] | .label'
Troubleshooting
ClusterSecretStore not ready
- Check 1Password Connect is running:
kubectl --context=minikube-indri -n 1password get pods - Verify token secret exists:
kubectl --context=minikube-indri -n 1password get secret onepassword-token
ExternalSecret not syncing
- Check the ExternalSecret status:
kubectl --context=minikube-indri describe externalsecret <name> -n <namespace> - Verify the 1Password item title and field names match exactly
- Check ESO controller logs:
kubectl --context=minikube-indri -n external-secrets logs -l app.kubernetes.io/name=external-secrets