eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/zk/external-secrets-log.md
Erich Blume 01adc4cf0f Switch to title-based wiki-links (#91) 
## Summary
- Remove aliases from all zk cards to prevent them from capturing wiki-links
- Convert all wiki-links from `[[filename|Title]]` to `[[Title]]` format
- Replace `doc-filenames` task with `doc-titles` for duplicate title detection
- Update pre-commit hook to use `doc-titles`

Wiki-links now resolve to reference docs by their frontmatter title, which is more readable and maintainable than filename-based links.

## Deployment and Testing
- [x] Pre-commit hooks pass (including new `doc-titles` check)
- [x] Manually verified zk cards have aliases removed
- [ ] Deploy docs v1.0.7 and verify wiki-links resolve correctly
- [ ] Test links to reference docs (e.g., [[Grafana Alloy]], [[ArgoCD]])

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/91
2026-02-03 15:55:31 -08:00

71 lines
1.8 KiB
Markdown
Raw Blame History

---
id: external-secrets-log
tags:
- blumeops
---
# External Secrets Operator
External Secrets Operator (ESO) syncs secrets from 1Password to Kubernetes Secrets via 1Password Connect.
## Architecture
```
1Password Cloud
|
v
1Password Connect (namespace: 1password)
|
v
External Secrets Operator (namespace: external-secrets)
|
v
Native Kubernetes Secrets
```
## Usage
ClusterSecretStore `onepassword-blumeops` provides access to the blumeops vault. See `argocd/manifests/devpi/external-secret.yaml` for a simple example.
**Important:** 1Password Connect doesn't support the `?ssh-format=openssh` query parameter. SSH keys must be stored as Secure Notes with the OpenSSH-formatted key (see `argocd-forge-ssh-key` item).
```bash
# Check all ExternalSecrets
kubectl --context=minikube-indri get externalsecret -A
# Find 1Password field names
op item get <item> --vault blumeops --format json | jq '.fields[] | .label'
```
## Bootstrap (One-Time Setup)
If reinstalling from scratch:
1. Create Connect server credentials:
```bash
op connect server create blumeops --vaults blumeops
op connect token create blumeops --server <server-id> --vault blumeops
```
2. Store in 1Password item "1Password Connect":
- `credentials-file`: raw JSON
- `credentials-base64`: base64-encoded JSON
- `token`: access token
3. Apply bootstrap secret:
```bash
kubectl --context=minikube-indri create namespace 1password
op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
kubectl --context=minikube-indri apply -f -
```
4. Sync apps in order:
- `argocd app sync 1password-connect`
- `argocd app sync external-secrets-crds`
- `argocd app sync external-secrets`
- `argocd app sync external-secrets-config`
## Related
- [[1767747119-YCPO|BlumeOps]]
- [[argocd|ArgoCD]]
Reference in a new issue View git blame Copy permalink