feat: sync runtime secrets from doppler

infrastructure/addons/observability/grafana-admin-externalsecret.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: grafana-admin
+  namespace: observability
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: doppler-hetznerterra
+    kind: ClusterSecretStore
+  target:
+    name: grafana-admin-credentials
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        admin-user: admin
+        admin-password: "{{ .grafanaAdminPassword }}"
+  data:
+    - secretKey: grafanaAdminPassword
+      remoteRef:
+        key: GRAFANA_ADMIN_PASSWORD

infrastructure/addons/observability/helmrelease-kube-prometheus-stack.yaml

@@ -24,6 +24,10 @@ spec:
   values:
     grafana:
       enabled: true
+      admin:
+        existingSecret: grafana-admin-credentials
+        userKey: admin-user
+        passwordKey: admin-password
       grafana.ini:
         server:
           root_url: http://observability/grafana/

infrastructure/addons/observability/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
+  - grafana-admin-externalsecret.yaml
   - traefik-tailscale-service.yaml
   - grafana-ingress.yaml
   - prometheus-ingress.yaml