Erich Blume
a45a78b478
## Summary - Add `doc-card-titles` mise task to enumerate all doc cards by title/id and detect duplicates - Remove redundant aliases from zk cards where alias matched the id - Rename `reference/storage/postgresql.md` title to "PostgreSQL Storage" to avoid duplicate with `reference/services/postgresql.md` - Convert all 175 path-based wiki-links `[[reference/path|Title]]` to title-based `[[Title]]` format - Add pre-commit hook to check for duplicate card titles on doc changes ## Deployment and Testing - [x] Pre-commit hooks pass - [x] `mise run doc-card-titles` shows no duplicates - [ ] Verify wiki-links work correctly in Quartz build 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/89
74 lines
1.9 KiB
Markdown
74 lines
1.9 KiB
Markdown
---
|
|
id: external-secrets
|
|
aliases:
|
|
- eso
|
|
- external-secrets-operator
|
|
tags:
|
|
- blumeops
|
|
---
|
|
|
|
# External Secrets Operator
|
|
|
|
External Secrets Operator (ESO) syncs secrets from 1Password to Kubernetes Secrets via 1Password Connect.
|
|
|
|
## Architecture
|
|
|
|
```
|
|
1Password Cloud
|
|
|
|
|
v
|
|
1Password Connect (namespace: 1password)
|
|
|
|
|
v
|
|
External Secrets Operator (namespace: external-secrets)
|
|
|
|
|
v
|
|
Native Kubernetes Secrets
|
|
```
|
|
|
|
## Usage
|
|
|
|
ClusterSecretStore `onepassword-blumeops` provides access to the blumeops vault. See `argocd/manifests/devpi/external-secret.yaml` for a simple example.
|
|
|
|
**Important:** 1Password Connect doesn't support the `?ssh-format=openssh` query parameter. SSH keys must be stored as Secure Notes with the OpenSSH-formatted key (see `argocd-forge-ssh-key` item).
|
|
|
|
```bash
|
|
# Check all ExternalSecrets
|
|
kubectl --context=minikube-indri get externalsecret -A
|
|
|
|
# Find 1Password field names
|
|
op item get <item> --vault blumeops --format json | jq '.fields[] | .label'
|
|
```
|
|
|
|
## Bootstrap (One-Time Setup)
|
|
|
|
If reinstalling from scratch:
|
|
|
|
1. Create Connect server credentials:
|
|
```bash
|
|
op connect server create blumeops --vaults blumeops
|
|
op connect token create blumeops --server <server-id> --vault blumeops
|
|
```
|
|
|
|
2. Store in 1Password item "1Password Connect":
|
|
- `credentials-file`: raw JSON
|
|
- `credentials-base64`: base64-encoded JSON
|
|
- `token`: access token
|
|
|
|
3. Apply bootstrap secret:
|
|
```bash
|
|
kubectl --context=minikube-indri create namespace 1password
|
|
op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
|
|
kubectl --context=minikube-indri apply -f -
|
|
```
|
|
|
|
4. Sync apps in order:
|
|
- `argocd app sync 1password-connect`
|
|
- `argocd app sync external-secrets-crds`
|
|
- `argocd app sync external-secrets`
|
|
- `argocd app sync external-secrets-config`
|
|
|
|
## Related
|
|
|
|
- [[1767747119-YCPO|BlumeOps]]
|
|
- [[argocd|ArgoCD]]
|