eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/1password.md
Erich Blume 649ae15204 Fix escaped pipes in wiki-links 
Remove backslash escaping from pipe characters in wiki-links.
Correct: [[services/forgejo|Forgejo]]
Wrong: [[services/forgejo\|Forgejo]]

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 13:33:14 -08:00

1.3 KiB
Raw Blame History

title tags
1Password
service
secrets

1Password

Root credential store for all BlumeOps secrets, synced to Kubernetes via External Secrets Operator.

Architecture

1Password Cloud
      |
      v
1Password Connect (namespace: 1password)
      |
      v
External Secrets Operator (namespace: external-secrets)
      |
      v
Native Kubernetes Secrets

Vault

The blumeops vault contains all infrastructure credentials.

Kubernetes Integration

ClusterSecretStore: onepassword-blumeops

Services reference 1Password items via ExternalSecret manifests. Example: argocd/manifests/devpi/external-secret.yaml

CLI Usage

# Get a secret field
op --vault blumeops item get <item-id> --fields <field> --reveal

# Inject into a template
op inject -i secret.yaml.tpl | kubectl apply -f -

Bootstrap (Disaster Recovery)

  1. Create Connect server: op connect server create blumeops --vaults blumeops
  2. Create token: op connect token create blumeops --server <id> --vault blumeops
  3. Store credentials in 1Password item "1Password Connect"
  4. Apply bootstrap secret to k8s
  5. Sync apps: 1password-connect, external-secrets-crds, external-secrets, external-secrets-config

Related