Migrate remaining secrets to ExternalSecrets #67

Merged

eblume merged 4 commits from feature/migrate-remaining-secrets into main 2026-01-28 20:41:45 -08:00

Conversation 0 Commits 4 Files changed 30 +328 -200

eblume commented 2026-01-28 19:51:24 -08:00

Owner

Copy link

Summary

• Add 10 ExternalSecrets to replace manual op inject workflows
• All secrets use creationPolicy: Merge for safe migration
• After sync, switch to creationPolicy: Owner for full ESO ownership

Secrets Migrated

Service	Secret	1Password Item
databases	blumeops-pg-eblume	postgres
databases	blumeops-pg-borgmatic	borgmatic
databases	blumeops-pg-teslamate	TeslaMate
tailscale-operator	operator-oauth	Tailscale K8s Operator OAuth
grafana-config	grafana-admin	Grafana (blumeops)
grafana-config	grafana-teslamate-datasource	TeslaMate
teslamate	teslamate-db	TeslaMate
teslamate	teslamate-encryption	TeslaMate
forgejo-runner	forgejo-runner-env	Forgejo Secrets
argocd	repo-creds-forge	argocd forge key

Skipped

• miniflux/secret-db - Uses CNPG secret directly, not 1Password
• immich/secret-db - Requires creating immich-pg item in 1Password first
• 1password-connect/secret-credentials - Bootstrap secret, must stay as template

Deployment and Testing

• Point apps at feature branch and sync
• Verify all ExternalSecrets show SecretSynced status
• Switch all to creationPolicy: Owner
• Reset to main after merge

🤖 Generated with Claude Code

## Summary - Add 10 ExternalSecrets to replace manual `op inject` workflows - All secrets use `creationPolicy: Merge` for safe migration - After sync, switch to `creationPolicy: Owner` for full ESO ownership ### Secrets Migrated | Service | Secret | 1Password Item | |---------|--------|----------------| | databases | blumeops-pg-eblume | postgres | | databases | blumeops-pg-borgmatic | borgmatic | | databases | blumeops-pg-teslamate | TeslaMate | | tailscale-operator | operator-oauth | Tailscale K8s Operator OAuth | | grafana-config | grafana-admin | Grafana (blumeops) | | grafana-config | grafana-teslamate-datasource | TeslaMate | | teslamate | teslamate-db | TeslaMate | | teslamate | teslamate-encryption | TeslaMate | | forgejo-runner | forgejo-runner-env | Forgejo Secrets | | argocd | repo-creds-forge | argocd forge key | ### Skipped - **miniflux/secret-db** - Uses CNPG secret directly, not 1Password - **immich/secret-db** - Requires creating `immich-pg` item in 1Password first - **1password-connect/secret-credentials** - Bootstrap secret, must stay as template ## Deployment and Testing - [ ] Point apps at feature branch and sync - [ ] Verify all ExternalSecrets show `SecretSynced` status - [ ] Switch all to `creationPolicy: Owner` - [ ] Reset to main after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-01-28 19:51:24 -08:00

Add ExternalSecrets for remaining k8s secrets ... 351528474c

Migrate 10 secret templates to ESO ExternalSecrets with 1Password Connect:
- databases: eblume, borgmatic, teslamate passwords
- tailscale-operator: OAuth client credentials
- grafana-config: admin password, teslamate datasource
- teslamate: db password, encryption key
- forgejo-runner: runner registration token
- argocd: forge SSH credentials

All use creationPolicy: Merge for safe migration from existing secrets.

Skipped:
- miniflux/secret-db: Uses CNPG secret, not 1Password directly
- immich/secret-db: Requires 1Password item creation first
- 1password-connect: Bootstrap secret, must stay as template

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit 2026-01-28 20:26:52 -08:00

Remove obsolete secret templates ... dd6cf20d51

- Delete 13 .yaml.tpl files replaced by ExternalSecrets
- Update immich/README.md with direct CNPG secret copy instructions
- Update miniflux/README.md with context flag and ESO note

Only 1password-connect/secret-credentials.yaml.tpl remains (bootstrap).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit 2026-01-28 20:27:26 -08:00

Switch all ExternalSecrets to creationPolicy: Owner ... 9114aac8f6

ESO now has full ownership of these secrets.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit 2026-01-28 20:31:21 -08:00

Fix argocd SSH key format for 1Password Connect ... 8f4660915d

1Password Connect doesn't support ?ssh-format=openssh, so we need a
separate Secure Note item with the OpenSSH-formatted key.

Created new 1Password item: argocd-forge-ssh-key

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume merged commit a93f2a77e1 into main 2026-01-28 20:41:45 -08:00

eblume referenced this pull request from a commit 2026-01-28 20:41:46 -08:00

Merge pull request 'Migrate remaining secrets to ExternalSecrets' (#67) from feature/migrate-remaining-secrets into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!67

No description provided.