From ad2ad22ccf8db57ee06ce5977ebdbdcb8f70bc80 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Mon, 19 Jan 2026 19:14:50 -0800
Subject: [PATCH] Fix miniflux secret to use CNPG-generated password

The miniflux user password is auto-generated by CloudNativePG and stored
in blumeops-pg-app secret. Updated README and secret template to document
the correct setup process.
---
 argocd/manifests/miniflux/README.md          |  5 ++++-
 argocd/manifests/miniflux/secret-db.yaml.tpl | 22 ++++++++++++--------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/argocd/manifests/miniflux/README.md b/argocd/manifests/miniflux/README.md
index fc77468..18780ca 100644
--- a/argocd/manifests/miniflux/README.md
+++ b/argocd/manifests/miniflux/README.md
@@ -14,7 +14,10 @@ RSS/Atom feed reader deployed via ArgoCD.
 
 ```bash
 kubectl create namespace miniflux
-op inject -i argocd/manifests/miniflux/secret-db.yaml.tpl | kubectl apply -f -
+
+# The miniflux user password is auto-generated by CNPG in blumeops-pg-app secret
+kubectl create secret generic miniflux-db -n miniflux \
+  --from-literal=url="$(kubectl -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d)"
 ```
 
 2. Apply the ArgoCD application:
diff --git a/argocd/manifests/miniflux/secret-db.yaml.tpl b/argocd/manifests/miniflux/secret-db.yaml.tpl
index bfc5b43..462e407 100644
--- a/argocd/manifests/miniflux/secret-db.yaml.tpl
+++ b/argocd/manifests/miniflux/secret-db.yaml.tpl
@@ -1,9 +1,13 @@
-# Apply with: op inject -i argocd/manifests/miniflux/secret-db.yaml.tpl | kubectl apply -f -
-apiVersion: v1
-kind: Secret
-metadata:
-  name: miniflux-db
-  namespace: miniflux
-type: Opaque
-stringData:
-  url: postgres://miniflux:{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/ns6wylqiuqgczpo7gq2akaxbti/password }}@blumeops-pg-rw.databases.svc.cluster.local:5432/miniflux?sslmode=disable
+# Miniflux database connection secret
+#
+# The miniflux user password is auto-generated by CloudNativePG and stored in
+# blumeops-pg-app secret in the databases namespace. To create this secret:
+#
+# 1. Get the URI from CNPG secret:
+#    kubectl -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d
+#
+# 2. Create the secret (one-liner):
+#    kubectl create secret generic miniflux-db -n miniflux \
+#      --from-literal=url="$(kubectl -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d)"
+#
+# Note: Uses internal k8s DNS hostname (blumeops-pg-rw.databases) not Tailscale