A practical guide to replacing loose environment-variable secret handling in Kamal deployments with a 1Password-backed setup. Covers creating dedicated vaults and service accounts in 1Password, using Kamal's native 1Password adapter in `.kamal/secrets` to fetch and extract secrets at deploy time, and wiring the same pattern into GitHub Actions CI/CD. Also addresses limitations of Dockerized Kamal mode with secret adapters and general security hygiene around deploy hosts.
Table of contents
Before You StartWhat Kamal Already Does WellEnvironment Variables Stay, the Source ChangesWhat You Need To Set Up In 1Password FirstUse Kamal’s Native 1Password Adapter1Password Improves The Source Of TruthWatch Out If You Run Kamal Via DockerDigging Deeper: Making This Work In CI/CDClosing ThoughtSort: