Phase 3c of migration #2: drop the Secret stanza from auth.yaml; the Middleware
stays and references filebrowser-auth-infisical (synced from homelab/prod
/filebrowser). ArgoCD prunes the old plaintext filebrowser-auth secret — the
bcrypt htpasswd leaves git. Completes migration #2.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3b of migration #2: Middleware.spec.basicAuth.secret now references the
Infisical-managed secret. Secret stanza in auth.yaml left in place as fallback
until 3b is verified (401 w/o creds, 200 w/ creds), then removed in 3c.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3a of migration #2: syncs FILEBROWSER_USERS from homelab/prod /filebrowser
via read-only infisical-operator/infisical-auth, template-remapped to the
lowercase 'users' key Traefik basic-auth requires, into parallel-name
filebrowser-auth-infisical. Old plaintext filebrowser-auth secret + the Traefik
Middleware untouched (repoint=3b, removal of the Secret stanza=3c).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Same protection already given to polymarket-bot postgres and n8n: without
it, removing a PVC manifest from git (rename, multi-doc refactor) would
make ArgoCD destroy the volume and its data.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>