Erich Blume
b8104d75ad
## Summary - Move all existing zettelkasten cards from `docs/` to `docs/zk/` as a temporary holding area - Update `zk-docs` mise task to look in the new location - Add `docs/README.md` explaining the Diataxis-based restructuring plan and target audiences ## Context This is phase 1 of a multi-phase documentation restructuring effort. The goal is to reorganize docs to follow the Diataxis framework while serving multiple audiences: 1. Erich (owner) - knowledge graph/zk 2. Claude/AI agents - memory and context enrichment 3. New external readers - high-level overview 4. Potential operators/contributors - onboarding 5. Replicators - people wanting to duplicate the approach ## Testing - [x] Verified `mise run zk-docs` still works with the new path - [x] Updated obsidian.nvim config (in ~/.config/nvim) to point to new path ## Note The obsidian.nvim config change is outside this repo but was made as part of this work. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/84
75 lines
1.9 KiB
Markdown
75 lines
1.9 KiB
Markdown
---
|
|
id: external-secrets
|
|
aliases:
|
|
- external-secrets
|
|
- eso
|
|
- external-secrets-operator
|
|
tags:
|
|
- blumeops
|
|
---
|
|
|
|
# External Secrets Operator
|
|
|
|
External Secrets Operator (ESO) syncs secrets from 1Password to Kubernetes Secrets via 1Password Connect.
|
|
|
|
## Architecture
|
|
|
|
```
|
|
1Password Cloud
|
|
|
|
|
v
|
|
1Password Connect (namespace: 1password)
|
|
|
|
|
v
|
|
External Secrets Operator (namespace: external-secrets)
|
|
|
|
|
v
|
|
Native Kubernetes Secrets
|
|
```
|
|
|
|
## Usage
|
|
|
|
ClusterSecretStore `onepassword-blumeops` provides access to the blumeops vault. See `argocd/manifests/devpi/external-secret.yaml` for a simple example.
|
|
|
|
**Important:** 1Password Connect doesn't support the `?ssh-format=openssh` query parameter. SSH keys must be stored as Secure Notes with the OpenSSH-formatted key (see `argocd-forge-ssh-key` item).
|
|
|
|
```bash
|
|
# Check all ExternalSecrets
|
|
kubectl --context=minikube-indri get externalsecret -A
|
|
|
|
# Find 1Password field names
|
|
op item get <item> --vault blumeops --format json | jq '.fields[] | .label'
|
|
```
|
|
|
|
## Bootstrap (One-Time Setup)
|
|
|
|
If reinstalling from scratch:
|
|
|
|
1. Create Connect server credentials:
|
|
```bash
|
|
op connect server create blumeops --vaults blumeops
|
|
op connect token create blumeops --server <server-id> --vault blumeops
|
|
```
|
|
|
|
2. Store in 1Password item "1Password Connect":
|
|
- `credentials-file`: raw JSON
|
|
- `credentials-base64`: base64-encoded JSON
|
|
- `token`: access token
|
|
|
|
3. Apply bootstrap secret:
|
|
```bash
|
|
kubectl --context=minikube-indri create namespace 1password
|
|
op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
|
|
kubectl --context=minikube-indri apply -f -
|
|
```
|
|
|
|
4. Sync apps in order:
|
|
- `argocd app sync 1password-connect`
|
|
- `argocd app sync external-secrets-crds`
|
|
- `argocd app sync external-secrets`
|
|
- `argocd app sync external-secrets-config`
|
|
|
|
## Related
|
|
|
|
- [[1767747119-YCPO|BlumeOps]]
|
|
- [[argocd|ArgoCD]]
|