blumeops/argocd/manifests/tailscale-operator-ringtail/external-secret.yaml

---
# ExternalSecret for Tailscale Operator OAuth credentials
#
# Shares the same 1Password item as indri's operator (same OAuth client).
# Multiple operator instances can share one OAuth client; each registers
# as its own device.
#
# 1Password item: "Tailscale K8s Operator OAuth" in blumeops vault
# Fields: "client-id", "client-secret"
#
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: operator-oauth
  namespace: tailscale
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: operator-oauth
    creationPolicy: Owner
  data:
  - secretKey: client_id
    remoteRef:
      key: Tailscale K8s Operator OAuth
      property: client-id
  - secretKey: client_secret
    remoteRef:
      key: Tailscale K8s Operator OAuth
      property: client-secret