# ExternalSecret for borgmatic backup user password on immich-pg cluster
# (ringtail k3s).
#
# Mirror of argocd/manifests/databases/external-secret-immich-borgmatic.yaml.
# The onepassword-blumeops ClusterSecretStore exists on ringtail via the
# external-secrets-ringtail app.
#
# 1Password item: "borgmatic" in blumeops vault
# Field: "db-password"
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: immich-pg-borgmatic
  namespace: databases
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: immich-pg-borgmatic
    creationPolicy: Owner
    template:
      type: kubernetes.io/basic-auth
      data:
        username: borgmatic
        password: "{{ .password }}"
  data:
    - secretKey: password
      remoteRef:
        key: borgmatic
        property: db-password