blumeops/argocd/manifests/grafana-config/external-secret-teslamate-datasource.yaml

# ExternalSecret for TeslaMate PostgreSQL datasource password
#
# Replaces the manual op inject workflow from secret-teslamate-datasource.yaml.tpl
#
# 1Password item: "TeslaMate" in blumeops vault
# Field: "db_password"
#
# This secret is mounted as environment variables in Grafana.
# The password is referenced in values.yaml datasource config as $TESLAMATE_DB_PASSWORD
#
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: grafana-teslamate-datasource
  namespace: monitoring
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: grafana-teslamate-datasource
    creationPolicy: Owner
    template:
      data:
        TESLAMATE_DB_PASSWORD: "{{ .password }}"
  data:
  - secretKey: password
    remoteRef:
      key: TeslaMate
      property: db_password