1Password - KuiprLab/dev-environment GitHub Wiki

tags:

  • homelab/kube

1Password Kubernetes Integration Guide

Overview

The 1Password Kubernetes Operator allows you to securely store sensitive information in 1Password and inject it into your Kubernetes cluster as Kubernetes secrets. This creates a seamless workflow for managing secrets across your infrastructure.

Secret Naming Convention

When storing secrets in 1Password for Kubernetes integration, follow this structured naming pattern:

<secret-name> (<namespace>-<stage>)

For example:

  • discord-webhook (monitoring-dev)
  • database-credentials (backend-prod)
  • api-key (frontend-staging)

Secret Creation Steps

  1. In 1Password, select the "Password" category for your new item
  2. Leave the default Username and Password fields empty
  3. Create custom password fields for your actual secrets
  4. The custom field names will be used as keys in your Kubernetes secret

Example Workflow

1. Create a Secret in 1Password

Create a new item in 1Password with:

  • Title: discord-webhook (monitoring-dev)
  • Category: Password
  • Leave default Username/Password empty
  • Add custom field:
    • Field name: webhook-url
    • Value: https://discord.com/api/webhooks/12345/your-secret-token

2. Reference in Kubernetes YAML

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: discord-webhook
  namespace: monitoring
spec:
  itemPath: "vaults/your-vault-name/items/discord-webhook (monitoring-dev)"
---
apiVersion: v1
kind: Secret
metadata:
  name: discord-webhook
  namespace: monitoring
type: Opaque
stringData:
  # The webhook-url key references your custom field name in 1Password
  DISCORD_WEBHOOK: "{{ .webhook-url }}"

3. Access in Your Application

Your application can now access the secret value via environment variables or mounted volumes.

Real-World Examples

Database Credentials

In 1Password:

  • Title: postgres-creds (database-prod)
  • Custom fields:
    • username: db_user
    • password: super-secret-password
    • host: db.example.com
    • port: 5432

In Kubernetes:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: postgres-creds
  namespace: database
spec:
  itemPath: "vaults/your-vault-name/items/postgres-creds (database-prod)"
---
apiVersion: v1
kind: Secret
metadata:
  name: postgres-credentials
  namespace: database
type: Opaque
stringData:
  DB_USER: "{{ .username }}"
  DB_PASSWORD: "{{ .password }}"
  DB_HOST: "{{ .host }}"
  DB_PORT: "{{ .port }}"

API Token for External Service

In 1Password:

  • Title: aws-credentials (infra-dev)
  • Custom fields:
    • access_key: AKIA123456789EXAMPLE
    • secret_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

In Kubernetes:

apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: aws-credentials
  namespace: infra
spec:
  itemPath: "vaults/your-vault-name/items/aws-credentials (infra-dev)"
---
apiVersion: v1
kind: Secret
metadata:
  name: aws-credentials
  namespace: infra
type: Opaque
stringData:
  AWS_ACCESS_KEY_ID: "{{ .access_key }}"
  AWS_SECRET_ACCESS_KEY: "{{ .secret_key }}"

Best Practices

  1. Use different vaults for different environments (dev, staging, prod)
  2. Implement RBAC to control who can access which secrets
  3. Include the stage in the secret name for clarity
  4. Keep field names consistent across environments
  5. Regularly audit access to secrets

By following this structured approach, you'll maintain clear organization of your secrets across environments while leveraging 1Password's security features within your Kubernetes infrastructure.

⚠️ **GitHub.com Fallback** ⚠️