Add ExternalSecret for devpi as proof of concept

Converts devpi secret from manual op inject to ExternalSecret.
This validates the 1Password Connect + ESO workflow.

The secret-root.yaml.tpl template is kept for reference but
the ExternalSecret will now manage the devpi-root secret.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

argocd/manifests/devpi/external-secret.yaml

@@ -0,0 +1,25 @@
+# ExternalSecret for devpi root password
+#
+# Replaces the manual op inject workflow from secret-root.yaml.tpl
+#
+# 1Password item: "devpi" in blumeops vault
+# Field: "root password"
+#
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: devpi-root
+  namespace: devpi
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: devpi-root
+    creationPolicy: Owner
+  data:
+  - secretKey: password
+    remoteRef:
+      key: devpi
+      property: root password

argocd/manifests/devpi/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
   - statefulset.yaml
   - service.yaml
   - ingress-tailscale.yaml
+  - external-secret.yaml