eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/1password-connect/README.md
Erich Blume c7e5af6d51 Migrate 1Password Connect from Helm to kustomize (1.8.1 → 1.8.2) (#326) 
## Summary

- Renders manifests from `connect-helm-charts v2.4.1` as plain kustomize (deployment + service)
- Bumps 1Password Connect from 1.8.1 → 1.8.2
- Completes the no-helm-policy migration — all services now use kustomize
- Retains all production hardening from the Helm chart (securityContext, runAsNonRoot, drop ALL, seccomp, resource limits)

## Changes

- **New:** `deployment.yaml`, `service.yaml`, `kustomization.yaml` in `argocd/manifests/1password-connect/`
- **Rewritten:** Both ArgoCD app definitions (indri + ringtail) — single source kustomize instead of multi-source Helm
- **Deleted:** `values.yaml` (Helm values no longer needed)
- **Updated:** `no-helm-policy.md`, `service-versions.yaml`, `README.md`

## Deployment plan

1. Sync `apps` app to pick up the new app definitions
2. `argocd app set 1password-connect --revision 1password-connect-kustomize`
3. `argocd app sync 1password-connect` — verify on indri
4. Repeat for ringtail
5. After merge: reset revision to main, re-sync both

## Test plan

- [ ] `kubectl kustomize` renders cleanly (verified locally)
- [ ] ArgoCD diff shows expected changes (Helm labels removed, images bumped)
- [ ] Pods come up healthy on indri
- [ ] External Secrets still resolves 1Password items
- [ ] Repeat on ringtail

Reviewed-on: #326
2026-04-06 07:31:40 -07:00

101 lines
2.7 KiB
Markdown
Raw Blame History

# 1Password Connect
1Password Connect provides REST API access to 1Password vault items for External Secrets Operator.
## Architecture
```
1Password Cloud
|
v
1Password Connect (this service)
|
v
External Secrets Operator
|
v
Native Kubernetes Secrets
```
## Prerequisites (One-Time Setup)
Run these steps on the workstation (gilbert) before deploying:
### 1. Create Connect Server Credentials
```bash
# This creates the credentials file and outputs a server ID
op connect server create blumeops --vaults blumeops
# Save the 1password-credentials.json file contents
```
### 2. Create Access Token
```bash
# Replace <server-id> with the ID from step 1
op connect token create blumeops --server <server-id> --vault blumeops
# Save the token
```
### 3. Store Credentials in 1Password
Create a new item "1Password Connect" in the blumeops vault with:
- `credentials-file` field: Paste the contents of `1password-credentials.json` (raw JSON, NOT base64 encoded)
- `token` field: Paste the access token
> **Note:** Chart 2.3.0+ mounts credentials as a file with standard k8s base64 encoding. The old `credentials-base64` field is no longer needed.
### 4. Create Bootstrap Secret
```bash
kubectl --context=minikube-indri create namespace 1password
op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
kubectl --context=minikube-indri apply -f -
```
## Version Management
Image versions are pinned in `kustomization.yaml` via `images[].newTag`. To upgrade:
1. Update `newTag` for both `1password/connect-api` and `1password/connect-sync`
2. Sync via ArgoCD
The manifests were rendered from `connect-helm-charts v2.4.1` and are maintained as plain kustomize.
## Deployment
```bash
argocd app sync apps
argocd app sync 1password-connect
```
## Verification
```bash
# Check pods are running
kubectl --context=minikube-indri -n 1password get pods
# Check logs
kubectl --context=minikube-indri -n 1password logs -l app=onepassword-connect
# Test API health (port-forward first)
kubectl --context=minikube-indri -n 1password port-forward svc/onepassword-connect 8080:8080 &
curl http://localhost:8080/health
```
## Troubleshooting
### Pods not starting
- Check the bootstrap secret exists: `kubectl --context=minikube-indri -n 1password get secret op-credentials`
- Verify credentials format in 1Password item
### API returning 401
- Check the token secret: `kubectl --context=minikube-indri -n 1password get secret onepassword-token`
- Verify the token has access to the blumeops vault
## Related
- [1Password Connect Documentation](https://developer.1password.com/docs/connect/)
- [External Secrets Operator](../external-secrets/README.md)
Reference in a new issue View git blame Copy permalink