blumeops/argocd/manifests/databases-ringtail/external-secret-teslamate.yaml

# ExternalSecret for TeslaMate database user password
#
# Replaces the manual op inject workflow from secret-teslamate.yaml.tpl
#
# 1Password item: "TeslaMate" in blumeops vault
# Field: "db_password"
#
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: blumeops-pg-teslamate
  namespace: databases
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: blumeops-pg-teslamate
    creationPolicy: Owner
    template:
      type: kubernetes.io/basic-auth
      data:
        username: teslamate
        password: "{{ .password }}"
  data:
  - secretKey: password
    remoteRef:
      key: TeslaMate
      property: db_password
Wave 1 indri→ringtail migration: paperless, teslamate, mealie (#363) Migrate paperless, teslamate, and mealie off the OOM-saturated minikube-indri node onto ringtail k3s, shedding ~1.1 GiB of resident load. Second chain in the indri-k8s decommission after immich. Containers ported to Nix (default.nix), build-verified on ringtail: - paperless → wraps nixpkgs paperless-ngx 2.20.15 (pinned unstable); runs as web/worker/beat/consumer - mealie → wraps nixpkgs mealie 3.16.0 (forward 4-minor bump, breaking-change reviewed); single gunicorn, SQLite - teslamate → from-scratch beamPackages mixRelease (not in nixpkgs); erlang_27+elixir_1_18, npm assets, ex_cldr locales pre-fetched Data: cold downtime-tolerant cutover. paperless+teslamate postgres dump/restore from quiesced source into a new ringtail blumeops-pg CNPG cluster; mealie SQLite PVC copied. Source DBs untouched until verified (rollback = repoint). Also: ringtail blumeops-pg cluster + ExternalSecrets scaffold; fixes pre-existing shower version-check drift. Runbook: docs/how-to/ringtail/migrate-wave1-ringtail.md. Deploy-from-branch + cutover happens before merge; container images rebuilt from main after merge. Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/363 2026-06-03 10:34:00 -07:00			`# ExternalSecret for TeslaMate database user password`
			`#`
			`# Replaces the manual op inject workflow from secret-teslamate.yaml.tpl`
			`#`
			`# 1Password item: "TeslaMate" in blumeops vault`
			`# Field: "db_password"`
			`#`
			`apiVersion: external-secrets.io/v1`
			`kind: ExternalSecret`
			`metadata:`
			`name: blumeops-pg-teslamate`
			`namespace: databases`
			`spec:`
			`refreshInterval: 1h`
			`secretStoreRef:`
			`kind: ClusterSecretStore`
			`name: onepassword-blumeops`
			`target:`
			`name: blumeops-pg-teslamate`
			`creationPolicy: Owner`
			`template:`
			`type: kubernetes.io/basic-auth`
			`data:`
			`username: teslamate`
			`password: "{{ .password }}"`
			`data:`
			`- secretKey: password`
			`remoteRef:`
			`key: TeslaMate`
			`property: db_password`