Implement secret backend for 1Password CLI

[jeliebig]

Problem Statement

Currently there are two secret backends available: sops and vals However none of them support the 1Password CLI as a secret source.

Proposed Solution

Let's implement a new secret backend for the 1Password CLI!

Environment

• Helm Version: v3.12.0
• Helm Secrets Version: 4.5.1
• OS: Archlinux
• Shell: bash

Additional information

• I'm currently in the middle of implementing the secret backend myself, but after reading the contributing guidelines I decided to open an issue first.
• I'm not quite sure if I wrote the AC correctly, in case they aren't sufficient please tell me how to improve them.

Acceptance Criteria

• [ ] As a user, I can choose between the existing sops and vals backends and the new onepassword secret backend.
• [ ] The new backend is documented in the wiki.
• [ ] Unit tests for the new onepassword secret backend have been added.

[jkroepke]

is 1Password Connect not an option?

https://github.com/helmfile/vals#1password-connect

[jeliebig]

That requires an accessible Connect server, which we currently don't have. Our Connect server is accessible from within our Kubernetes environment, so we'd need to forward the port to our machines to use this option.

Since the 1Password CLI is available on all of our machines I thought it would be nice to add that as a secret backend instead.

[jkroepke]

I will not integrate 1Password into core, because there is at least a 1Password integration available and I'm unable to maintain such an integration since I do not own a 1Password account and i have no experience with it.

But helm-secrets support custom backends which is desigend to integrate non core secret backends.

There are some community examples for integrate the Vault CLI, doppler CLI and gopass CLI already. Feel free to provide the 1password one, too.

Here is an example YAML

https://github.com/jkroepke/helm-secrets/blob/2ecba6bda2244dc60dff846382e5b373c29fd3f8/tests/assets/values/custom-backend/secrets.yaml

which will be parsed by

https://github.com/jkroepke/helm-secrets/blob/2ecba6bda2244dc60dff846382e5b373c29fd3f8/examples/backends/vault.sh

it works, because helm-secrets provides a library https://github.com/jkroepke/helm-secrets/blob/main/scripts/lib/backends/_custom.sh for custom integration which handle the yaml paring.