Erich Blume
482414346e
## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66 |
||
|---|---|---|
| .. | ||
| README.md | ||
| secret-credentials.yaml.tpl | ||
| values.yaml | ||
1Password Connect
1Password Connect provides REST API access to 1Password vault items for External Secrets Operator.
Architecture
1Password Cloud
|
v
1Password Connect (this service)
|
v
External Secrets Operator
|
v
Native Kubernetes Secrets
Prerequisites (One-Time Setup)
Run these steps on the workstation (gilbert) before deploying:
1. Create Connect Server Credentials
# This creates the credentials file and outputs a server ID
op connect server create blumeops --vaults blumeops
# Save the 1password-credentials.json file contents
2. Create Access Token
# Replace <server-id> with the ID from step 1
op connect token create blumeops --server <server-id> --vault blumeops
# Save the token
3. Store Credentials in 1Password
Create a new item "1Password Connect" in the blumeops vault with:
credentials-filefield: Paste the contents of1password-credentials.json(NOT base64 encoded)tokenfield: Paste the access token
4. Create Bootstrap Secret
kubectl --context=minikube-indri create namespace 1password
op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
kubectl --context=minikube-indri apply -f -
Deployment
argocd app sync apps
argocd app sync 1password-connect
Verification
# Check pods are running
kubectl --context=minikube-indri -n 1password get pods
# Check logs
kubectl --context=minikube-indri -n 1password logs -l app=onepassword-connect
# Test API health (port-forward first)
kubectl --context=minikube-indri -n 1password port-forward svc/onepassword-connect 8080:8080 &
curl http://localhost:8080/health
Troubleshooting
Pods not starting
- Check the bootstrap secret exists:
kubectl --context=minikube-indri -n 1password get secret op-credentials - Verify credentials format in 1Password item
API returning 401
- Check the token secret:
kubectl --context=minikube-indri -n 1password get secret onepassword-token - Verify the token has access to the blumeops vault