feat(agent-zero): wire Print.Web API key to pod via 1Password OnePasswordItem

Add `print-web-api-keys` OnePasswordItem CRD that syncs from 1Password "Print.Web API Keys" vault item (password field). Mount as PRINT_WEB_API_KEY env var in the agent-zero container. The print_web.py Python tool (already in bluejay-tools ConfigMaps) reads PRINT_WEB_URL and PRINT_WEB_API_KEY env vars for all HTTP calls to the thermal print service on edge2. Previously the key was unset so every API call was rejected with 401. Note: Print.Web uses the legacy REST MCP shape (/api/mcp/tools/*) not the streamable-http protocol. The Python tool bridges this gap — no /mcp endpoint exists on Print.Web today. Network policy already allows 10.0.57.16:5200. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 20:34:06 -05:00
parent 35bd055cb4
commit f1431f7324
1 changed files with 27 additions and 1 deletions
--- a/apps/agent-zero/agent-zero.yaml
+++ b/apps/agent-zero/agent-zero.yaml
@@ -108,6 +108,22 @@ metadata:
 spec:
  itemPath: "vaults/IAmWorkin/items/FC LLM Bridge API Keys"

+---
+# Print.Web API key for Agent Zero's print_web.py Python tool.
+# Syncs from 1Password item "Print.Web API Keys" (password field = API key).
+# The print_web.py tool reads PRINT_WEB_API_KEY env var for all HTTP requests
+# to the thermal print service (GET /api/mcp/tools, POST /api/print/*, etc.).
+# Note: Print.Web uses the legacy REST MCP shape (/api/mcp/tools/*), not the
+# streamable-http MCP protocol. The print_web Python tool bridges this gap
+# and is already present in bluejay-tools ConfigMaps.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: print-web-api-keys
+  namespace: agent-zero
+spec:
+  itemPath: "vaults/IAmWorkin/items/Print.Web API Keys"
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -383,9 +399,19 @@ spec:
                  name: chat-mcp-api-key
                  key: api-key
                  optional: true
-            # Print.Web — Thermal printer service on edge2
+            # Print.Web — Thermal printer service on edge2.
+            # PRINT_WEB_URL: internal HTTP (bypasses Traefik TLS — print_web.py
+            # runs in-cluster and can reach edge2 directly on the PROD VLAN).
+            # PRINT_WEB_API_KEY: from 1Password "Print.Web API Keys" password field,
+            # synced by the print-web-api-keys OnePasswordItem CRD above.
+            # The print_web.py Python tool reads both env vars for all HTTP calls.
            - name: PRINT_WEB_URL
              value: "http://10.0.57.16:5200"
+            - name: PRINT_WEB_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: print-web-api-keys
+                  key: password
            # Kubernetes
            - name: KUBERNETES_SERVICE_HOST
              value: "kubernetes.default.svc"