ttsreader: wire operator secrets through 1password

apps/fc-ttsreader/fc-ttsreader.yaml

@@ -7,6 +7,15 @@ metadata:
   labels:
     app.kubernetes.io/part-of: flowercore
 ---
+# 1Password -> K8s Secret sync for TTS Reader API keys
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: ttsreader-secrets
+  namespace: fc-ttsreader
+spec:
+  itemPath: "vaults/IAmWorkin/items/FlowerCore TTS Reader"
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -67,10 +76,20 @@ spec:
               value: "gemma3:4b"
             - name: TtsReader__Runtime__LogsRoot
               value: "/data/logs"
-          envFrom:
+            - name: TtsReader__Runtime__SmokeStatePath
-            - secretRef:
+              value: "/data/ops/smoke-status.json"
-                name: ttsreader-secrets
+            - name: Auth__ApiKey
-                optional: true
+              valueFrom:
+                secretKeyRef:
+                  name: ttsreader-secrets
+                  key: Auth__ApiKey
+                  optional: true
+            - name: Auth__AdminApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: ttsreader-secrets
+                  key: Auth__AdminApiKey
+                  optional: true
           resources:
             requests:
               cpu: 100m