eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/external-secrets
History
Erich Blume 796baaa41a Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 
## Summary

- Upgrade External Secrets Operator from v1.3.2 (helm-chart-2.0.0) to v2.2.0
- Migrate from Helm chart deployment to static kustomize manifests, matching the repo's kustomize-first pattern
- Merge separate `-config` ArgoCD apps into the main operator apps (6 → 4 apps)
- Clean up Helm-specific labels (`helm.sh/chart`, `managed-by: Helm`)
- Update README example from v1beta1 to v1 API

## Breaking changes assessment

Low risk — v2.0.0 removed Alibaba and Device42 providers (we use neither). No templating changes affect us. All ExternalSecrets already use v1 API.

## Deployment steps

1. Sync CRDs first on both clusters (new CRD version)
2. Sync operator apps (now kustomize-based)
3. Verify ClusterSecretStore and all ExternalSecrets are healthy
4. Delete orphaned config apps: `argocd app delete external-secrets-config` and `-config-ringtail`
5. `mise run services-check`

Reviewed-on: #312
2026-03-25 15:56:41 -07:00
..
cluster-secret-store.yaml Add External Secrets Operator with 1Password Connect (#66) (#66) 2026-01-28 19:30:10 -08:00
deployment.yaml Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 2026-03-25 15:56:41 -07:00
kustomization.yaml Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 2026-03-25 15:56:41 -07:00
rbac.yaml Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 2026-03-25 15:56:41 -07:00
README.md Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 2026-03-25 15:56:41 -07:00
service.yaml Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 2026-03-25 15:56:41 -07:00
serviceaccount.yaml Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 2026-03-25 15:56:41 -07:00
webhook.yaml Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 2026-03-25 15:56:41 -07:00

README.md

External Secrets Operator

External Secrets Operator (ESO) syncs secrets from 1Password Connect to native Kubernetes Secrets.

Architecture

  • ClusterSecretStore (onepassword-blumeops): Cluster-wide access to 1Password via Connect
  • ExternalSecret (per-namespace): Defines which secrets to sync from 1Password

Prerequisites

1Password Connect must be deployed and healthy before syncing ESO.

Deployment

argocd app sync external-secrets

Verification

# Check operator pods
kubectl --context=minikube-indri -n external-secrets get pods

# Check ClusterSecretStore status
kubectl --context=minikube-indri get clustersecretstore onepassword-blumeops

# Check all ExternalSecrets across namespaces
kubectl --context=minikube-indri get externalsecret -A

Creating ExternalSecrets

To sync a secret from 1Password, create an ExternalSecret in the target namespace:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: my-secret
  namespace: my-namespace
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: my-secret           # Name of K8s Secret to create
    creationPolicy: Owner     # ESO owns and manages the Secret
  data:
  - secretKey: password       # Key in the K8s Secret
    remoteRef:
      key: My 1Password Item  # Title of item in 1Password
      property: password      # Field label in 1Password item

Finding 1Password Item Details

# List items in blumeops vault
op item list --vault blumeops

# Get field names for an item
op item get <item-id> --vault blumeops --format json | jq -r '.fields[] | .label'

Troubleshooting

ClusterSecretStore not ready

  • Check 1Password Connect is running: kubectl --context=minikube-indri -n 1password get pods
  • Verify token secret exists: kubectl --context=minikube-indri -n 1password get secret onepassword-token

ExternalSecret not syncing

  • Check the ExternalSecret status: kubectl --context=minikube-indri describe externalsecret <name> -n <namespace>
  • Verify the 1Password item title and field names match exactly
  • Check ESO controller logs: kubectl --context=minikube-indri -n external-secrets logs -l app.kubernetes.io/name=external-secrets

Related