Initial argo deployment

This commit is contained in:
2026-05-17 20:44:31 -05:00
parent 97e9889251
commit 905b4619d6
33 changed files with 1322 additions and 0 deletions

View File

@@ -0,0 +1,41 @@
# ------------------------------------------------------------------------------
# Platform: 1Password Connect Server
# Wave 2 — depends on ESO (wave 1) being healthy
#
# IMPORTANT — Bootstrap secret:
# Before this Application can sync successfully, the 1Password credentials
# file must be applied manually ONE TIME:
#
# kubectl create namespace onepassword-connect
# kubectl create secret generic op-credentials \
# --from-file=1password-credentials.json \
# -n onepassword-connect
#
# This is the ONLY secret that cannot flow through ESO (it IS the ESO backend).
# Store the credentials file securely in 1Password itself as a backup.
# ------------------------------------------------------------------------------
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: onepassword-connect
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "2"
spec:
project: default
source:
repoURL: https://1password.github.io/connect-helm-charts
chart: connect
targetRevision: 1.16.0
helm:
valuesFile: values.yaml
destination:
server: https://kubernetes.default.svc
namespace: onepassword-connect
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

View File

@@ -0,0 +1,32 @@
# ------------------------------------------------------------------------------
# ClusterSecretStore — 1Password Connect
#
# This is the bridge between ESO and 1Password Connect. Once this exists,
# any ExternalSecret in any namespace can reference:
# secretStoreRef:
# kind: ClusterSecretStore
# name: onepassword-connect
#
# The connect-token secret must exist in the onepassword-connect namespace.
# Generate a token in 1Password: Developer Tools > Connect Servers > <your server>
# Then apply once:
# kubectl create secret generic connect-token \
# --from-literal=token=<your-token> \
# -n onepassword-connect
# ------------------------------------------------------------------------------
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: onepassword-connect
spec:
provider:
onepassword:
connectHost: http://onepassword-connect.onepassword-connect.svc.cluster.local:8080
vaults:
mk-labs: 1 # vault name in 1Password : priority
auth:
secretRef:
connectTokenSecretRef:
name: connect-token
key: token
namespace: onepassword-connect

View File

@@ -0,0 +1,24 @@
# ------------------------------------------------------------------------------
# 1Password Connect Server — Helm Values
# Chart: https://1password.github.io/connect-helm-charts
# ------------------------------------------------------------------------------
connect:
# Reference the manually-bootstrapped credentials secret
credentialsName: op-credentials
# Connect server API token — pulled from the credentials secret
# The token is generated in your 1Password account under
# Developer Tools > Connect Servers
serviceType: ClusterIP
# Operator manages automatic secret injection (optional, disable if not using)
operator:
create: false
# ------------------------------------------------------------------------------
# ClusterSecretStore — tells ESO to use this Connect server as its backend.
# Applied as a raw manifest alongside the Helm chart via ArgoCD's multi-source
# (or manually after Connect is healthy — whichever you prefer).
# See: cluster-secret-store.yaml
# ------------------------------------------------------------------------------