Externalsecret

1Password

  • 1password compatible items: secret, document;
  • in this repo, all passwords use secret item;
  • encryption_ciper => openssl rand -base64 36;
  • 1password-sync need https_proxy;
remoteRef.keyremoteRef.propertyremoteRef.valueignored
password.titlepassword.labelpassword.new_fieldpassword.section/notes/tags
document.titledocument.file_namedocument.file_contentdocument.section/notes/tags

Naming

  • externalSecret and Secret name should be same
  • secrets refers to app itself, use appname
  • secrets refers to using other services, use appname-service-usage

Example

---
# yaml-language-server: $schema=https://kubernetes-schemas.noirprime.com/external-secrets.io/externalsecret_v1.json
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: example-app
spec:
  refreshInterval: 30m
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword
  target:
    template:
      data:
        username: "{{ .admin_user }}"
        password: "{{ .admin_pass }}"
  dataFrom:
    - extract:
        key: app_user