External Secrets

The External Secrets Operator syncs secrets from 1Password into Kubernetes Secrets. It runs in the 1password-connect namespace alongside the 1Password Connect server.

How It Works

Each service that needs secrets defines an ExternalSecret resource referencing a 1Password item and field. The operator polls 1Password Connect and creates/updates native Kubernetes Secrets.

Manifests

Operator + Connect server: argocd/manifests/1password-connect/
Per-service ExternalSecrets: in each service’s manifest directory (e.g., argocd/manifests/grafana-config/external-secret-*.yaml)

1password - Credential management
security-model - Secrets flow architecture

BlumeOps Docs

Explorer

External Secrets

External Secrets

How It Works

Manifests

Graph View

Table of Contents

Backlinks

BlumeOps Docs

Explorer

External Secrets

External Secrets

How It Works

Manifests

Related

Graph View

Table of Contents

Backlinks