tazuna secret-to-genesissecret
Writes an existing Secret in the cluster out to 1Password and generates a GenesisSecret YAML that references it. This is a one-way migration / inventory command, not something to run repeatedly in routine operation.
tazuna secret-to-genesissecret \
--op-host <host> \
[--namespace <ns>] \
[--label-selector <sel>] [--name-regex <re>] \
[--vault <vault>] [--note <note>] \
[--dump-dir <dir>] [--dry-run]
Behavior
- Narrow down the Secrets in
--namespace(defaultdefault) by--label-selector/--name-regex. - Write the data of each Secret out to the 1Password
--vaultas an Item. - Emit a GenesisSecret YAML referencing that Item to
--dump-dir(default.). - With
--dry-run, neither write to 1Password nor generate YAML; only output the selection result of target Secrets.
It does not read tazuna.yaml, so -f / --file-path is ignored. Among the global flags, only -l / --log-level actually takes effect. Since both reads against the cluster and writes against 1Password run, the 1Password CLI (op) must be authenticated.
Flag
In addition to global flags, the following are accepted.
| Flag | Type | Default | Required | Description |
|---|---|---|---|---|
--op-host | string | - | Yes | Host part of the 1Password service-account URL (e.g. example.1password.com). |
--namespace | string | default | - | The Kubernetes namespace where the target Secrets exist. Shell completion enumerates the actual cluster namespaces. |
--label-selector | string | "" | - | A label selector to narrow down target Secrets. Example: app=foo,tier=db. |
--name-regex | string | "" | - | A regular expression on the name of target Secrets. |
--vault | string | "" | - | The 1Password vault name. Shell completion enumerates the actual vaults. |
--note | string | "" | - | Note attached to the generated 1Password Item. |
--dump-dir | string | . | - | Output directory for the generated GenesisSecret YAML. |
--dry-run | bool | false | - | Output only the selection result without writes. |
Examples
tazuna secret-to-genesissecret \
--op-host example.1password.com \
--namespace production \
--label-selector tazuna.pepabo.com/migrate=true \
--vault platform \
--dump-dir ./genesissecrets
tazuna secret-to-genesissecret \
--op-host example.1password.com \
--name-regex '^db-.*' \
--dry-run
Related
- Reference the generated YAML from
tazuna.yamlas atype: genesissecretManifest. - Terminology: GenesisSecret / Provider (SecretProvider)