Add ExternalSecret for devpi as proof of concept

Converts devpi secret from manual op inject to ExternalSecret. This validates the 1Password Connect + ESO workflow. The secret-root.yaml.tpl template is kept for reference but the ExternalSecret will now manage the devpi-root secret. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 19:30:11 -08:00 · 2026-01-28 18:47:02 -08:00 · 2026-01-28 18:47:02 -08:00
commit f2cdb41f35
2 changed files with 26 additions and 0 deletions
--- a/argocd/manifests/devpi/external-secret.yaml
+++ b/argocd/manifests/devpi/external-secret.yaml
@ -0,0 +1,25 @@
+# ExternalSecret for devpi root password
+#
+# Replaces the manual op inject workflow from secret-root.yaml.tpl
+#
+# 1Password item: "devpi" in blumeops vault
+# Field: "root password"
+#
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: devpi-root
+  namespace: devpi
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: devpi-root
+    creationPolicy: Owner
+  data:
+  - secretKey: password
+    remoteRef:
+      key: devpi
+      property: root password
--- a/argocd/manifests/devpi/kustomization.yaml
+++ b/argocd/manifests/devpi/kustomization.yaml
@ -7,3 +7,4 @@ resources:
  - statefulset.yaml
  - service.yaml
  - ingress-tailscale.yaml
+  - external-secret.yaml