blumeops/argocd/manifests/mealie/kustomization.yaml at b0023fef922cf5834cb48b32de2f0c8849306815 - eblume/blumeops - Forgejo: Beyond coding. We Forge.

eblume/blumeops

Erich Blume b0023fef92 Switch Mealie OIDC to confidential client

Mealie requires OIDC_CLIENT_SECRET even though its docs say "public
client with PKCE". The token exchange happens server-side in Mealie's
Python backend, so the secret never reaches the browser.

- Generate client secret, store in 1Password
- Add to Authentik external-secret and worker env
- Switch blueprint from public to confidential
- Add ExternalSecret for mealie namespace
- Update docs to reflect confidential client

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-16 21:50:34 -07:00

15 lines

281 B

YAML

Raw Blame History

 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: mealie
 resources:
   - deployment.yaml
   - service.yaml
   - pvc.yaml
   - ingress-tailscale.yaml
   - external-secret.yaml
 images:
   - name: registry.ops.eblu.me/blumeops/mealie
     newTag: v3.12.0-5c5fd18