blumeops/docs/reference/services/1password.md

---
title: 1Password
tags:
  - service
  - secrets
---

# 1Password

Root credential store for all BlumeOps secrets, synced to Kubernetes via External Secrets Operator.

## Architecture

```
1Password Cloud
      |
      v
1Password Connect (namespace: 1password)
      |
      v
External Secrets Operator (namespace: external-secrets)
      |
      v
Native Kubernetes Secrets
```

## Vault

The `blumeops` vault contains all infrastructure credentials.

## Kubernetes Integration

**ClusterSecretStore:** `onepassword-blumeops`

Services reference 1Password items via `ExternalSecret` manifests. Example: `argocd/manifests/devpi/external-secret.yaml`

## CLI Usage

```bash
# Get a secret field
op --vault blumeops item get <item-id> --fields <field> --reveal

# Inject into a template
op inject -i secret.yaml.tpl | kubectl apply -f -
```

## Bootstrap (Disaster Recovery)

1. Create Connect server: `op connect server create blumeops --vaults blumeops`
2. Create token: `op connect token create blumeops --server <id> --vault blumeops`
3. Store credentials in 1Password item "1Password Connect"
4. Apply bootstrap secret to k8s
5. Sync apps: 1password-connect, external-secrets-crds, external-secrets, external-secrets-config

## Related

- [[argocd\|ArgoCD]] - Uses secrets for git access
- [[postgresql\|PostgreSQL]] - Database credentials