How an internal hack became a 1Password integration for Vals

1Password Team

14 days ago

Zois Pagoulatos needed a way to automate secret injection into Kubernetes apps without compromising security. Unable to find the perfect tooling for his problem, he did what many seasoned engineers would do: he built the solution himself.

Kubernetes (K8s) offers multiple ways to scale containerized applications by automating deployment, resource management, and operations across K8s clusters. But with that power comes complexity, and the additional risk of losing track of where your secrets are going. Since Kubernetes apps are often composed of dozens if not hundreds of components, it’s all too easy for secrets like API keys, tokens, and other credentials to end up hard-coded in YAML files, exposed in Git commits, or leaked through CI/CD logs.

Zois Pagoulatos was all too familiar with that struggle. As a DevOps engineer working with Argo CD – a GitOps tool for Kubernetes – his team needed a secure way to automate secret injection for a work project. But Argo CD is built around the idea that your entire desired state lives in Git, a model that doesn’t work for sensitive data like secrets, which can’t safely be versioned. That mismatch created friction in his deployment process.

Using 1Password's SDKs and a few other developer tools, Zois set out to build an integration that would let him pull secrets securely into his deployment workflow. And though his team would later shift to a different architecture for this particular challenge, the open-source integration Zois created has lived on as one of 1Password’s most widely used community integrations.

When the right tool doesn’t exist (yet)

Zois’ team was already using Helm, the most widely adopted package manager for K8s, which simplifies application deployment by bundling configurations into reusable packages (or “charts”).

Secret injection, however, remained a challenge. Zois needed a way to securely incorporate secrets into Helm configurations without exposing them or disrupting GitOps practices in Argo CD.

That’s when Zois discovered helm-secrets, a Helm plugin that decrypts encrypted value files on the fly using SOPS. Helm-secrets also supports pulling secrets from external secret managers and injecting them into Helm value files or templates.

One of the ways that helm-secrets can fetch secrets is through Vals, an open-source tool designed to load secret values from external stores at runtime. Its declarative approach meant that Zois could keep placeholders in his Helm value files and let Vals fetch the underlying secret only when needed, making it a natural fit for ArgoCD.

Zois still had one problem: His team was using 1Password to load secrets into workflows and services, and Vals didn’t yet support 1Password.

Building the missing integration

1Password developer tools provided everything Zois needed to build a 1Password backend for Vals himself. He used the 1Password SDK for Go in conjunction with 1Password Service Accounts to retrieve secrets from a 1Password vault and load them into Vals. Vals is used to dynamically resolve secrets into Kubernetes manifests, eliminating the need for manual secret management or hardcoded credentials.

This approach worked and met his requirements. Realizing that others would benefit from a similar integration, Zois submitted his work as a pull request in the Vals project on GitHub. It was reviewed and accepted by the maintainer of the project, who took the time to thank Zois for his effort.

Even early on, it was clear the integration filled a real gap for developers. First, the integration allows users to reference secrets within their configuration files. Vals then resolves these references during deployment by securely fetching the actual values from 1Password.

One developer’s solution, many teams’ benefit

Zois’ team later found a simpler solution for their infrastructure, though they continue to rely on 1Password developer tools in other parts of their developer workflow. Meanwhile, the 1Password integration that Zois created has taken on a life of its own: it’s actively maintained by the Vals project and is still being used by teams that want a seamless, declarative way to inject 1Password-managed secrets into Kubernetes workflows.

The integration lives on in part because many other teams face the same challenges Zois did. In fact, several 1Password team members discovered the Vals integration organically, through other developers who were trying to tackle secure secrets injection.

One platform, many paths

The Vals integration is a great example of how different tools can work together to simplify developer workflows. Secrets management solutions are rarely one-size-fits-all: In practice, most teams use a combination of tools based on their cloud environment, automation needs, team structure, and secrets need to be used and accessed. That’s why 1Password offers an extendable approach designed to integrate with your existing tech stack and workflows:

The 1Password CLI is a powerful way of injecting secrets into configuration files and pipelines at deployment.
For runtime access within applications or services, 1Password SDKs offer lightweight language-specific tools that let you retrieve secrets securely.
Our new AWS Secrets Manager integration lets you sync secrets from 1Password directly into AWS.

No matter your setup, 1Password gives you the building blocks to make secrets management secure, automated, and developer-friendly.