Initial argo deployment
This commit is contained in:
41
cluster/platform/onepassword-connect/application.yaml
Normal file
41
cluster/platform/onepassword-connect/application.yaml
Normal file
@@ -0,0 +1,41 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# Platform: 1Password Connect Server
|
||||
# Wave 2 — depends on ESO (wave 1) being healthy
|
||||
#
|
||||
# IMPORTANT — Bootstrap secret:
|
||||
# Before this Application can sync successfully, the 1Password credentials
|
||||
# file must be applied manually ONE TIME:
|
||||
#
|
||||
# kubectl create namespace onepassword-connect
|
||||
# kubectl create secret generic op-credentials \
|
||||
# --from-file=1password-credentials.json \
|
||||
# -n onepassword-connect
|
||||
#
|
||||
# This is the ONLY secret that cannot flow through ESO (it IS the ESO backend).
|
||||
# Store the credentials file securely in 1Password itself as a backup.
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: onepassword-connect
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "2"
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://1password.github.io/connect-helm-charts
|
||||
chart: connect
|
||||
targetRevision: 1.16.0
|
||||
helm:
|
||||
valuesFile: values.yaml
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: onepassword-connect
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ServerSideApply=true
|
||||
@@ -0,0 +1,32 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# ClusterSecretStore — 1Password Connect
|
||||
#
|
||||
# This is the bridge between ESO and 1Password Connect. Once this exists,
|
||||
# any ExternalSecret in any namespace can reference:
|
||||
# secretStoreRef:
|
||||
# kind: ClusterSecretStore
|
||||
# name: onepassword-connect
|
||||
#
|
||||
# The connect-token secret must exist in the onepassword-connect namespace.
|
||||
# Generate a token in 1Password: Developer Tools > Connect Servers > <your server>
|
||||
# Then apply once:
|
||||
# kubectl create secret generic connect-token \
|
||||
# --from-literal=token=<your-token> \
|
||||
# -n onepassword-connect
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ClusterSecretStore
|
||||
metadata:
|
||||
name: onepassword-connect
|
||||
spec:
|
||||
provider:
|
||||
onepassword:
|
||||
connectHost: http://onepassword-connect.onepassword-connect.svc.cluster.local:8080
|
||||
vaults:
|
||||
mk-labs: 1 # vault name in 1Password : priority
|
||||
auth:
|
||||
secretRef:
|
||||
connectTokenSecretRef:
|
||||
name: connect-token
|
||||
key: token
|
||||
namespace: onepassword-connect
|
||||
24
cluster/platform/onepassword-connect/values.yaml
Normal file
24
cluster/platform/onepassword-connect/values.yaml
Normal file
@@ -0,0 +1,24 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# 1Password Connect Server — Helm Values
|
||||
# Chart: https://1password.github.io/connect-helm-charts
|
||||
# ------------------------------------------------------------------------------
|
||||
|
||||
connect:
|
||||
# Reference the manually-bootstrapped credentials secret
|
||||
credentialsName: op-credentials
|
||||
|
||||
# Connect server API token — pulled from the credentials secret
|
||||
# The token is generated in your 1Password account under
|
||||
# Developer Tools > Connect Servers
|
||||
serviceType: ClusterIP
|
||||
|
||||
# Operator manages automatic secret injection (optional, disable if not using)
|
||||
operator:
|
||||
create: false
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# ClusterSecretStore — tells ESO to use this Connect server as its backend.
|
||||
# Applied as a raw manifest alongside the Helm chart via ArgoCD's multi-source
|
||||
# (or manually after Connect is healthy — whichever you prefer).
|
||||
# See: cluster-secret-store.yaml
|
||||
# ------------------------------------------------------------------------------
|
||||
Reference in New Issue
Block a user