Erich Blume
06e721841c
Replace hardcoded image tags in Quick Reference tables with pointers to kustomization manifests (tags drift with every container release). Fix Prometheus CNPG scrape target, remove misleading .ts.net URLs, expand external-secrets stub, add backup/disaster-recovery cross-references. Limit doc-reviewer agent to one doc per cycle. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
870 B
870 B
| title | modified | last-reviewed | tags | ||
|---|---|---|---|---|---|
| External Secrets | 2026-03-23 | 2026-03-23 |
|
External Secrets
The External Secrets Operator syncs secrets from 1Password into Kubernetes Secrets. It runs in the 1password-connect namespace alongside the 1Password Connect server.
How It Works
Each service that needs secrets defines an ExternalSecret resource referencing a 1Password item and field. The operator polls 1Password Connect and creates/updates native Kubernetes Secrets.
Manifests
- Operator + Connect server:
argocd/manifests/1password-connect/ - Per-service ExternalSecrets: in each service's manifest directory (e.g.,
argocd/manifests/grafana-config/external-secret-*.yaml)
Related
- 1password - Credential management
- security-model - Secrets flow architecture