From f2cdb41f352396d0e655da64a1408c8526ffc793 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Wed, 28 Jan 2026 18:47:02 -0800
Subject: [PATCH] Add ExternalSecret for devpi as proof of concept

Converts devpi secret from manual op inject to ExternalSecret.
This validates the 1Password Connect + ESO workflow.

The secret-root.yaml.tpl template is kept for reference but
the ExternalSecret will now manage the devpi-root secret.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/devpi/external-secret.yaml | 25 +++++++++++++++++++++
 argocd/manifests/devpi/kustomization.yaml   |  1 +
 2 files changed, 26 insertions(+)
 create mode 100644 argocd/manifests/devpi/external-secret.yaml

diff --git a/argocd/manifests/devpi/external-secret.yaml b/argocd/manifests/devpi/external-secret.yaml
new file mode 100644
index 0000000..8340ad0
--- /dev/null
+++ b/argocd/manifests/devpi/external-secret.yaml
@@ -0,0 +1,25 @@
+# ExternalSecret for devpi root password
+#
+# Replaces the manual op inject workflow from secret-root.yaml.tpl
+#
+# 1Password item: "devpi" in blumeops vault
+# Field: "root password"
+#
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: devpi-root
+  namespace: devpi
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: devpi-root
+    creationPolicy: Owner
+  data:
+  - secretKey: password
+    remoteRef:
+      key: devpi
+      property: root password
diff --git a/argocd/manifests/devpi/kustomization.yaml b/argocd/manifests/devpi/kustomization.yaml
index 6bc7579..ef6566c 100644
--- a/argocd/manifests/devpi/kustomization.yaml
+++ b/argocd/manifests/devpi/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - statefulset.yaml
   - service.yaml
   - ingress-tailscale.yaml
+  - external-secret.yaml