eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/1password-connect/README.md
Erich Blume aae7726ecc Migrate 1Password Connect from Helm to kustomize (1.8.1 → 1.8.2) 
Renders manifests from connect-helm-charts v2.4.1 as plain kustomize,
completing the no-helm-policy migration. All services now use kustomize.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 07:15:41 -07:00

101 lines
2.7 KiB
Markdown
Raw Blame History

# 1Password Connect
1Password Connect provides REST API access to 1Password vault items for External Secrets Operator.
## Architecture
```
1Password Cloud
|
v
1Password Connect (this service)
|
v
External Secrets Operator
|
v
Native Kubernetes Secrets
```
## Prerequisites (One-Time Setup)
Run these steps on the workstation (gilbert) before deploying:
### 1. Create Connect Server Credentials
```bash
# This creates the credentials file and outputs a server ID
op connect server create blumeops --vaults blumeops
# Save the 1password-credentials.json file contents
```
### 2. Create Access Token
```bash
# Replace <server-id> with the ID from step 1
op connect token create blumeops --server <server-id> --vault blumeops
# Save the token
```
### 3. Store Credentials in 1Password
Create a new item "1Password Connect" in the blumeops vault with:
- `credentials-file` field: Paste the contents of `1password-credentials.json` (raw JSON, NOT base64 encoded)
- `token` field: Paste the access token
> **Note:** Chart 2.3.0+ mounts credentials as a file with standard k8s base64 encoding. The old `credentials-base64` field is no longer needed.
### 4. Create Bootstrap Secret
```bash
kubectl --context=minikube-indri create namespace 1password
op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
kubectl --context=minikube-indri apply -f -
```
## Version Management
Image versions are pinned in `kustomization.yaml` via `images[].newTag`. To upgrade:
1. Update `newTag` for both `1password/connect-api` and `1password/connect-sync`
2. Sync via ArgoCD
The manifests were rendered from `connect-helm-charts v2.4.1` and are maintained as plain kustomize.
## Deployment
```bash
argocd app sync apps
argocd app sync 1password-connect
```
## Verification
```bash
# Check pods are running
kubectl --context=minikube-indri -n 1password get pods
# Check logs
kubectl --context=minikube-indri -n 1password logs -l app=onepassword-connect
# Test API health (port-forward first)
kubectl --context=minikube-indri -n 1password port-forward svc/onepassword-connect 8080:8080 &
curl http://localhost:8080/health
```
## Troubleshooting
### Pods not starting
- Check the bootstrap secret exists: `kubectl --context=minikube-indri -n 1password get secret op-credentials`
- Verify credentials format in 1Password item
### API returning 401
- Check the token secret: `kubectl --context=minikube-indri -n 1password get secret onepassword-token`
- Verify the token has access to the blumeops vault
## Related
- [1Password Connect Documentation](https://developer.1password.com/docs/connect/)
- [External Secrets Operator](../external-secrets/README.md)
Reference in a new issue View git blame Copy permalink