Erich Blume
c7e5af6d51
## Summary - Renders manifests from `connect-helm-charts v2.4.1` as plain kustomize (deployment + service) - Bumps 1Password Connect from 1.8.1 → 1.8.2 - Completes the no-helm-policy migration — all services now use kustomize - Retains all production hardening from the Helm chart (securityContext, runAsNonRoot, drop ALL, seccomp, resource limits) ## Changes - **New:** `deployment.yaml`, `service.yaml`, `kustomization.yaml` in `argocd/manifests/1password-connect/` - **Rewritten:** Both ArgoCD app definitions (indri + ringtail) — single source kustomize instead of multi-source Helm - **Deleted:** `values.yaml` (Helm values no longer needed) - **Updated:** `no-helm-policy.md`, `service-versions.yaml`, `README.md` ## Deployment plan 1. Sync `apps` app to pick up the new app definitions 2. `argocd app set 1password-connect --revision 1password-connect-kustomize` 3. `argocd app sync 1password-connect` — verify on indri 4. Repeat for ringtail 5. After merge: reset revision to main, re-sync both ## Test plan - [ ] `kubectl kustomize` renders cleanly (verified locally) - [ ] ArgoCD diff shows expected changes (Helm labels removed, images bumped) - [ ] Pods come up healthy on indri - [ ] External Secrets still resolves 1Password items - [ ] Repeat on ringtail Reviewed-on: #326 |
||
|---|---|---|
| .. | ||
| deployment.yaml | ||
| kustomization.yaml | ||
| README.md | ||
| secret-credentials.yaml.tpl | ||
| service.yaml | ||
1Password Connect
1Password Connect provides REST API access to 1Password vault items for External Secrets Operator.
Architecture
1Password Cloud
|
v
1Password Connect (this service)
|
v
External Secrets Operator
|
v
Native Kubernetes Secrets
Prerequisites (One-Time Setup)
Run these steps on the workstation (gilbert) before deploying:
1. Create Connect Server Credentials
# This creates the credentials file and outputs a server ID
op connect server create blumeops --vaults blumeops
# Save the 1password-credentials.json file contents
2. Create Access Token
# Replace <server-id> with the ID from step 1
op connect token create blumeops --server <server-id> --vault blumeops
# Save the token
3. Store Credentials in 1Password
Create a new item "1Password Connect" in the blumeops vault with:
credentials-filefield: Paste the contents of1password-credentials.json(raw JSON, NOT base64 encoded)tokenfield: Paste the access token
Note: Chart 2.3.0+ mounts credentials as a file with standard k8s base64 encoding. The old
credentials-base64field is no longer needed.
4. Create Bootstrap Secret
kubectl --context=minikube-indri create namespace 1password
op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
kubectl --context=minikube-indri apply -f -
Version Management
Image versions are pinned in kustomization.yaml via images[].newTag. To upgrade:
- Update
newTagfor both1password/connect-apiand1password/connect-sync - Sync via ArgoCD
The manifests were rendered from connect-helm-charts v2.4.1 and are maintained as plain kustomize.
Deployment
argocd app sync apps
argocd app sync 1password-connect
Verification
# Check pods are running
kubectl --context=minikube-indri -n 1password get pods
# Check logs
kubectl --context=minikube-indri -n 1password logs -l app=onepassword-connect
# Test API health (port-forward first)
kubectl --context=minikube-indri -n 1password port-forward svc/onepassword-connect 8080:8080 &
curl http://localhost:8080/health
Troubleshooting
Pods not starting
- Check the bootstrap secret exists:
kubectl --context=minikube-indri -n 1password get secret op-credentials - Verify credentials format in 1Password item
API returning 401
- Check the token secret:
kubectl --context=minikube-indri -n 1password get secret onepassword-token - Verify the token has access to the blumeops vault