Erich Blume c7e5af6d51 Migrate 1Password Connect from Helm to kustomize (1.8.1 → 1.8.2) (#326 )

## Summary

- Renders manifests from `connect-helm-charts v2.4.1` as plain kustomize (deployment + service)
- Bumps 1Password Connect from 1.8.1 → 1.8.2
- Completes the no-helm-policy migration — all services now use kustomize
- Retains all production hardening from the Helm chart (securityContext, runAsNonRoot, drop ALL, seccomp, resource limits)

## Changes

- **New:** `deployment.yaml`, `service.yaml`, `kustomization.yaml` in `argocd/manifests/1password-connect/`
- **Rewritten:** Both ArgoCD app definitions (indri + ringtail) — single source kustomize instead of multi-source Helm
- **Deleted:** `values.yaml` (Helm values no longer needed)
- **Updated:** `no-helm-policy.md`, `service-versions.yaml`, `README.md`

## Deployment plan

1. Sync `apps` app to pick up the new app definitions
2. `argocd app set 1password-connect --revision 1password-connect-kustomize`
3. `argocd app sync 1password-connect` — verify on indri
4. Repeat for ringtail
5. After merge: reset revision to main, re-sync both

## Test plan

- [ ] `kubectl kustomize` renders cleanly (verified locally)
- [ ] ArgoCD diff shows expected changes (Helm labels removed, images bumped)
- [ ] Pods come up healthy on indri
- [ ] External Secrets still resolves 1Password items
- [ ] Repeat on ringtail

Reviewed-on: #326

2026-04-06 07:31:40 -07:00

2.7 KiB

Raw Blame History

1Password Connect

1Password Connect provides REST API access to 1Password vault items for External Secrets Operator.

Architecture

1Password Cloud
      |
      v
1Password Connect (this service)
      |
      v
External Secrets Operator
      |
      v
Native Kubernetes Secrets

Prerequisites (One-Time Setup)

Run these steps on the workstation (gilbert) before deploying:

1. Create Connect Server Credentials

# This creates the credentials file and outputs a server ID
op connect server create blumeops --vaults blumeops

# Save the 1password-credentials.json file contents

2. Create Access Token

# Replace <server-id> with the ID from step 1
op connect token create blumeops --server <server-id> --vault blumeops

# Save the token

3. Store Credentials in 1Password

Create a new item "1Password Connect" in the blumeops vault with:

credentials-file field: Paste the contents of 1password-credentials.json (raw JSON, NOT base64 encoded)
token field: Paste the access token

Note: Chart 2.3.0+ mounts credentials as a file with standard k8s base64 encoding. The old credentials-base64 field is no longer needed.

4. Create Bootstrap Secret

kubectl --context=minikube-indri create namespace 1password
op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
  kubectl --context=minikube-indri apply -f -

Version Management

Image versions are pinned in kustomization.yaml via images[].newTag. To upgrade:

Update newTag for both 1password/connect-api and 1password/connect-sync
Sync via ArgoCD

The manifests were rendered from connect-helm-charts v2.4.1 and are maintained as plain kustomize.

Deployment

argocd app sync apps
argocd app sync 1password-connect

Verification

# Check pods are running
kubectl --context=minikube-indri -n 1password get pods

# Check logs
kubectl --context=minikube-indri -n 1password logs -l app=onepassword-connect

# Test API health (port-forward first)
kubectl --context=minikube-indri -n 1password port-forward svc/onepassword-connect 8080:8080 &
curl http://localhost:8080/health

Troubleshooting

Pods not starting

Check the bootstrap secret exists: kubectl --context=minikube-indri -n 1password get secret op-credentials
Verify credentials format in 1Password item

API returning 401

Check the token secret: kubectl --context=minikube-indri -n 1password get secret onepassword-token
Verify the token has access to the blumeops vault

2.7 KiB Raw Blame History