blumeops/argocd/apps/external-secrets.yaml

# External Secrets Operator - Kubernetes secret sync from external providers
# Syncs secrets from 1Password Connect to native Kubernetes Secrets
#
# Static manifests rendered from upstream Helm chart v2.2.0
# Upstream: https://github.com/external-secrets/external-secrets
#
# Prerequisites:
# - 1password-connect must be deployed and healthy
# - external-secrets-crds must be synced first
#
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: external-secrets
  namespace: argocd
spec:
  project: default
  source:
    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
    targetRevision: main
    path: argocd/manifests/external-secrets
  destination:
    server: https://kubernetes.default.svc
    namespace: external-secrets
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
Add External Secrets Operator with 1Password Connect (#66) (#66) ## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66 2026-01-28 19:30:10 -08:00			`# External Secrets Operator - Kubernetes secret sync from external providers`
			`# Syncs secrets from 1Password Connect to native Kubernetes Secrets`
			`#`
Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) ## Summary - Upgrade External Secrets Operator from v1.3.2 (helm-chart-2.0.0) to v2.2.0 - Migrate from Helm chart deployment to static kustomize manifests, matching the repo's kustomize-first pattern - Merge separate `-config` ArgoCD apps into the main operator apps (6 → 4 apps) - Clean up Helm-specific labels (`helm.sh/chart`, `managed-by: Helm`) - Update README example from v1beta1 to v1 API ## Breaking changes assessment Low risk — v2.0.0 removed Alibaba and Device42 providers (we use neither). No templating changes affect us. All ExternalSecrets already use v1 API. ## Deployment steps 1. Sync CRDs first on both clusters (new CRD version) 2. Sync operator apps (now kustomize-based) 3. Verify ClusterSecretStore and all ExternalSecrets are healthy 4. Delete orphaned config apps: `argocd app delete external-secrets-config` and `-config-ringtail` 5. `mise run services-check` Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/312 2026-03-25 15:56:41 -07:00			`# Static manifests rendered from upstream Helm chart v2.2.0`
			`# Upstream: https://github.com/external-secrets/external-secrets`
Add External Secrets Operator with 1Password Connect (#66) (#66) ## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66 2026-01-28 19:30:10 -08:00			`#`
			`# Prerequisites:`
			`# - 1password-connect must be deployed and healthy`
Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) ## Summary - Upgrade External Secrets Operator from v1.3.2 (helm-chart-2.0.0) to v2.2.0 - Migrate from Helm chart deployment to static kustomize manifests, matching the repo's kustomize-first pattern - Merge separate `-config` ArgoCD apps into the main operator apps (6 → 4 apps) - Clean up Helm-specific labels (`helm.sh/chart`, `managed-by: Helm`) - Update README example from v1beta1 to v1 API ## Breaking changes assessment Low risk — v2.0.0 removed Alibaba and Device42 providers (we use neither). No templating changes affect us. All ExternalSecrets already use v1 API. ## Deployment steps 1. Sync CRDs first on both clusters (new CRD version) 2. Sync operator apps (now kustomize-based) 3. Verify ClusterSecretStore and all ExternalSecrets are healthy 4. Delete orphaned config apps: `argocd app delete external-secrets-config` and `-config-ringtail` 5. `mise run services-check` Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/312 2026-03-25 15:56:41 -07:00			`# - external-secrets-crds must be synced first`
Add External Secrets Operator with 1Password Connect (#66) (#66) ## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66 2026-01-28 19:30:10 -08:00			`#`
			`apiVersion: argoproj.io/v1alpha1`
			`kind: Application`
			`metadata:`
			`name: external-secrets`
			`namespace: argocd`
			`spec:`
			`project: default`
Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) ## Summary - Upgrade External Secrets Operator from v1.3.2 (helm-chart-2.0.0) to v2.2.0 - Migrate from Helm chart deployment to static kustomize manifests, matching the repo's kustomize-first pattern - Merge separate `-config` ArgoCD apps into the main operator apps (6 → 4 apps) - Clean up Helm-specific labels (`helm.sh/chart`, `managed-by: Helm`) - Update README example from v1beta1 to v1 API ## Breaking changes assessment Low risk — v2.0.0 removed Alibaba and Device42 providers (we use neither). No templating changes affect us. All ExternalSecrets already use v1 API. ## Deployment steps 1. Sync CRDs first on both clusters (new CRD version) 2. Sync operator apps (now kustomize-based) 3. Verify ClusterSecretStore and all ExternalSecrets are healthy 4. Delete orphaned config apps: `argocd app delete external-secrets-config` and `-config-ringtail` 5. `mise run services-check` Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/312 2026-03-25 15:56:41 -07:00			`source:`
			`repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git`
			`targetRevision: main`
			`path: argocd/manifests/external-secrets`
Add External Secrets Operator with 1Password Connect (#66) (#66) ## Summary - Add 1Password Connect server for secrets automation API - Add External Secrets Operator (ESO) to sync secrets from 1Password to K8s - Add ClusterSecretStore connecting ESO to 1Password Connect - Convert devpi secret to ExternalSecret as proof of concept ## Architecture ``` 1Password Cloud → 1Password Connect (k8s) → ESO → Native K8s Secrets ``` ## Deployment and Testing - [ ] Mirror Helm charts to forge (connect-helm-charts, external-secrets) - DONE - [ ] Create 1Password Connect credentials (`op connect server create`) - [ ] Store credentials in 1Password item "1Password Connect" - [ ] Bootstrap secret: `op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl \| kubectl apply -f -` - [ ] Deploy 1password-connect: `argocd app sync 1password-connect` - [ ] Deploy external-secrets: `argocd app sync external-secrets` - [ ] Deploy external-secrets-config: `argocd app sync external-secrets-config` - [ ] Test devpi ExternalSecret: `argocd app sync devpi` - [ ] Verify secret synced: `kubectl get externalsecret -n devpi` ## Future Work After PoC validated, migrate remaining 12 secret templates to ExternalSecrets: - databases (3), tailscale-operator (1), grafana-config (2), teslamate (2) - forgejo-runner (1), argocd (1), immich (1), 1password-connect (1 - self-bootstrap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/66 2026-01-28 19:30:10 -08:00			`destination:`
			`server: https://kubernetes.default.svc`
			`namespace: external-secrets`
			`syncPolicy:`
			`syncOptions:`
			`- CreateNamespace=true`
			`- ServerSideApply=true`