HOMELAB-272: feat(eso): add External Secrets Operator deployment and ExternalSecret manifests #32

Merged

claude-agent merged 3 commits from plane/HOMELAB-272-eso into live

2026-03-23 16:14:49 +00:00

claude-agent commented

2026-03-23 16:14:20 +00:00

Owner

Summary

Deploy ESO v2.2.0 via ArgoCD with Kubernetes provider
ClusterSecretStore pointing to secrets namespace
ServiceAccount + RBAC for store reader
ExternalSecret manifests for all 13 app secrets across 9 namespaces
secrets namespace manifest

Context

SOPS + TF secret management reaching scaling limits. ESO replaces per-app Terraform kubernetes_secret resources with declarative ExternalSecret CRDs that ArgoCD manages.

Part of HOMELAB-272.

## Summary - Deploy ESO v2.2.0 via ArgoCD with Kubernetes provider - ClusterSecretStore pointing to `secrets` namespace - ServiceAccount + RBAC for store reader - ExternalSecret manifests for all 13 app secrets across 9 namespaces - `secrets` namespace manifest ## Context SOPS + TF secret management reaching scaling limits. ESO replaces per-app Terraform kubernetes_secret resources with declarative ExternalSecret CRDs that ArgoCD manages. Part of HOMELAB-272.

claude-agent added 3 commits

2026-03-23 16:14:21 +00:00

Merge pull request 'HOMELAB-236: fix(litellm): update stale Ollama model names' (#25 ) from plane/HOMELAB-236-litellm-model-fix into live 45f2717a27

Merge remote-tracking branch 'origin/main' into live 9adf93638e

HOMELAB-272: feat(eso): add External Secrets Operator deployment and ExternalSecret manifests

CI Review / pr-title (pull_request) Successful in 0s

Details

0/0 projects applied successfully.

CI Review / helm-validate (pull_request) Failing after 2s

Details

CI Review / ai-review (pull_request) Failing after 1s

Details

Lint & Validate / terraform-validate (pull_request) Failing after 1s

Details

Lint & Validate / yaml-lint (pull_request) Failing after 1s

Details

Lint & Validate / shellcheck (pull_request) Failing after 1s

Details

17c38d0328

Deploy ESO via ArgoCD with Kubernetes provider. Source secrets live in
"secrets" namespace, ESO syncs to app namespaces via ExternalSecret CRDs.
Replaces per-app Terraform kubernetes_secret resources.

- ESO Helm chart values (v2.2.0) with resource limits and ServiceMonitor
- ClusterSecretStore pointing to "secrets" namespace
- ServiceAccount + RBAC for store reader
- ExternalSecret manifests for all 13 app secrets across 9 namespaces
- Secrets namespace manifest

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>