Erich Blume
482414346e
## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66
42 lines
1.6 KiB
Smarty
42 lines
1.6 KiB
Smarty
# 1Password Connect bootstrap credentials
|
|
#
|
|
# This template is processed ONCE manually to bootstrap the system.
|
|
# After External Secrets is operational, this could be converted to an
|
|
# ExternalSecret for self-management (chicken-and-egg bootstrap).
|
|
#
|
|
# Prerequisites:
|
|
# 1. Create Connect server: op connect server create blumeops --vaults blumeops
|
|
# 2. Create token: op connect token create blumeops --server <server-id> --vault blumeops
|
|
# 3. Create 1Password item "1Password Connect" in blumeops vault with:
|
|
# - credentials-file: contents of 1password-credentials.json (raw JSON)
|
|
# - credentials-base64: base64-encoded contents of 1password-credentials.json
|
|
# - token: the access token
|
|
#
|
|
# To add credentials-base64 to existing item:
|
|
# CREDS=$(op item get "1Password Connect" --vault blumeops --format json | \
|
|
# jq -r '.fields[] | select(.label == "credentials-file") | .value' | base64)
|
|
# op item edit "1Password Connect" --vault blumeops "credentials-base64=$CREDS"
|
|
#
|
|
# Usage:
|
|
# kubectl --context=minikube-indri create namespace 1password
|
|
# op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
|
|
# kubectl --context=minikube-indri apply -f -
|
|
#
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: op-credentials
|
|
namespace: 1password
|
|
type: Opaque
|
|
stringData:
|
|
# OP_SESSION env var expects base64-encoded credentials
|
|
1password-credentials.json: "{{ op://blumeops/1Password Connect/credentials-base64 }}"
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: onepassword-token
|
|
namespace: 1password
|
|
type: Opaque
|
|
stringData:
|
|
token: "{{ op://blumeops/1Password Connect/token }}"
|