blumeops/argocd/manifests/teslamate/external-secret-encryption-key.yaml

# ExternalSecret for TeslaMate encryption key
#
# Replaces the manual op inject workflow from secret-encryption-key.yaml.tpl
#
# 1Password item: "TeslaMate" in blumeops vault
# Field: "api_enc_key"
#
# This key encrypts Tesla API tokens at rest in the database.
#
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: teslamate-encryption
  namespace: teslamate
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: teslamate-encryption
    creationPolicy: Owner
  data:
  - secretKey: key
    remoteRef:
      key: TeslaMate
      property: api_enc_key
Add ExternalSecrets for remaining k8s secrets Migrate 10 secret templates to ESO ExternalSecrets with 1Password Connect: - databases: eblume, borgmatic, teslamate passwords - tailscale-operator: OAuth client credentials - grafana-config: admin password, teslamate datasource - teslamate: db password, encryption key - forgejo-runner: runner registration token - argocd: forge SSH credentials All use creationPolicy: Merge for safe migration from existing secrets. Skipped: - miniflux/secret-db: Uses CNPG secret, not 1Password directly - immich/secret-db: Requires 1Password item creation first - 1password-connect: Bootstrap secret, must stay as template Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 19:50:38 -08:00			`# ExternalSecret for TeslaMate encryption key`
			`#`
			`# Replaces the manual op inject workflow from secret-encryption-key.yaml.tpl`
			`#`
			`# 1Password item: "TeslaMate" in blumeops vault`
			`# Field: "api_enc_key"`
			`#`
			`# This key encrypts Tesla API tokens at rest in the database.`
			`#`
			`apiVersion: external-secrets.io/v1`
			`kind: ExternalSecret`
			`metadata:`
			`name: teslamate-encryption`
			`namespace: teslamate`
			`spec:`
			`refreshInterval: 1h`
			`secretStoreRef:`
			`kind: ClusterSecretStore`
			`name: onepassword-blumeops`
			`target:`
			`name: teslamate-encryption`
Switch all ExternalSecrets to creationPolicy: Owner ESO now has full ownership of these secrets. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 20:27:16 -08:00			`creationPolicy: Owner`
Add ExternalSecrets for remaining k8s secrets Migrate 10 secret templates to ESO ExternalSecrets with 1Password Connect: - databases: eblume, borgmatic, teslamate passwords - tailscale-operator: OAuth client credentials - grafana-config: admin password, teslamate datasource - teslamate: db password, encryption key - forgejo-runner: runner registration token - argocd: forge SSH credentials All use creationPolicy: Merge for safe migration from existing secrets. Skipped: - miniflux/secret-db: Uses CNPG secret, not 1Password directly - immich/secret-db: Requires 1Password item creation first - 1password-connect: Bootstrap secret, must stay as template Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 19:50:38 -08:00			`data:`
			`- secretKey: key`
			`remoteRef:`
			`key: TeslaMate`
			`property: api_enc_key`