blumeops/argocd/manifests/forgejo-runner/external-secret.yaml

# ExternalSecret for Forgejo Runner environment
#
# Replaces the manual op inject workflow from secret.yaml.tpl
#
# 1Password item: "Forgejo Secrets" in blumeops vault
# Field: runner_reg (runner registration token)
#
# Note: Static values (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) are included
# via template since they don't need to be in 1Password.
#
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: forgejo-runner-env
  namespace: forgejo-runner
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: forgejo-runner-env
    creationPolicy: Owner
    template:
      data:
        FORGEJO_URL: "https://forge.ops.eblu.me"
        RUNNER_NAME: "k8s-runner"
        RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v2.5.1"
        RUNNER_TOKEN: "{{ .runner_token }}"
  data:
  - secretKey: runner_token
    remoteRef:
      key: Forgejo Secrets
      property: runner_reg
Add ExternalSecrets for remaining k8s secrets Migrate 10 secret templates to ESO ExternalSecrets with 1Password Connect: - databases: eblume, borgmatic, teslamate passwords - tailscale-operator: OAuth client credentials - grafana-config: admin password, teslamate datasource - teslamate: db password, encryption key - forgejo-runner: runner registration token - argocd: forge SSH credentials All use creationPolicy: Merge for safe migration from existing secrets. Skipped: - miniflux/secret-db: Uses CNPG secret, not 1Password directly - immich/secret-db: Requires 1Password item creation first - 1password-connect: Bootstrap secret, must stay as template Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 19:50:38 -08:00			`# ExternalSecret for Forgejo Runner environment`
			`#`
			`# Replaces the manual op inject workflow from secret.yaml.tpl`
			`#`
			`# 1Password item: "Forgejo Secrets" in blumeops vault`
Remove ARGOCD_AUTH_TOKEN from external secret Workflow secrets come from Forgejo's secret store, not runner env. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 17:17:44 -08:00			`# Field: runner_reg (runner registration token)`
Add ExternalSecrets for remaining k8s secrets Migrate 10 secret templates to ESO ExternalSecrets with 1Password Connect: - databases: eblume, borgmatic, teslamate passwords - tailscale-operator: OAuth client credentials - grafana-config: admin password, teslamate datasource - teslamate: db password, encryption key - forgejo-runner: runner registration token - argocd: forge SSH credentials All use creationPolicy: Merge for safe migration from existing secrets. Skipped: - miniflux/secret-db: Uses CNPG secret, not 1Password directly - immich/secret-db: Requires 1Password item creation first - 1password-connect: Bootstrap secret, must stay as template Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 19:50:38 -08:00			`#`
			`# Note: Static values (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) are included`
			`# via template since they don't need to be in 1Password.`
			`#`
			`apiVersion: external-secrets.io/v1`
			`kind: ExternalSecret`
			`metadata:`
			`name: forgejo-runner-env`
			`namespace: forgejo-runner`
			`spec:`
			`refreshInterval: 1h`
			`secretStoreRef:`
			`kind: ClusterSecretStore`
			`name: onepassword-blumeops`
			`target:`
			`name: forgejo-runner-env`
Switch all ExternalSecrets to creationPolicy: Owner ESO now has full ownership of these secrets. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 20:27:16 -08:00			`creationPolicy: Owner`
Add ExternalSecrets for remaining k8s secrets Migrate 10 secret templates to ESO ExternalSecrets with 1Password Connect: - databases: eblume, borgmatic, teslamate passwords - tailscale-operator: OAuth client credentials - grafana-config: admin password, teslamate datasource - teslamate: db password, encryption key - forgejo-runner: runner registration token - argocd: forge SSH credentials All use creationPolicy: Merge for safe migration from existing secrets. Skipped: - miniflux/secret-db: Uses CNPG secret, not 1Password directly - immich/secret-db: Requires 1Password item creation first - 1password-connect: Bootstrap secret, must stay as template Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 19:50:38 -08:00			`template:`
			`data:`
			`FORGEJO_URL: "https://forge.ops.eblu.me"`
			`RUNNER_NAME: "k8s-runner"`
Bootstrap buildx: revert to docker build, bump runner to v2.5.1 (#148) ## Summary - Temporarily revert composite action to `docker build` so we can build the runner image (chicken-and-egg: current runner v2.5.0 doesn't have buildx) - Bump runner label to `v2.5.1` so after sync the new runner image (with buildx) gets used ## Deployment plan 1. Merge this PR 2. Tag `forgejo-runner-v2.5.1` — builds with legacy `docker build` (one last time) 3. Sync forgejo-runner in ArgoCD to pick up the v2.5.1 label 4. Follow-up PR: switch action back to `docker buildx build` 5. Tag `nettest-v0.12.0` to verify buildx works end-to-end Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/148 2026-02-10 21:17:14 -08:00			`RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v2.5.1"`
Add ExternalSecrets for remaining k8s secrets Migrate 10 secret templates to ESO ExternalSecrets with 1Password Connect: - databases: eblume, borgmatic, teslamate passwords - tailscale-operator: OAuth client credentials - grafana-config: admin password, teslamate datasource - teslamate: db password, encryption key - forgejo-runner: runner registration token - argocd: forge SSH credentials All use creationPolicy: Merge for safe migration from existing secrets. Skipped: - miniflux/secret-db: Uses CNPG secret, not 1Password directly - immich/secret-db: Requires 1Password item creation first - 1password-connect: Bootstrap secret, must stay as template Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 19:50:38 -08:00			`RUNNER_TOKEN: "{{ .runner_token }}"`
			`data:`
			`- secretKey: runner_token`
			`remoteRef:`
			`key: Forgejo Secrets`
			`property: runner_reg`