fix: Use insecure flag for ArgoCD repo instead of known hosts patching

Skip SSH host key verification via insecure: "true" in the repository
secret. This avoids the chicken-and-egg problem where ArgoCD syncs its
own known hosts ConfigMap and overwrites runtime patches. Remove
configmaps RBAC and ssh-keyscan logic from the init job.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

prototypes/forgejo/ytt/argocd-deploy-key-job.ytt.yaml

@@ -18,9 +18,6 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "create"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "patch"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -57,17 +54,14 @@ spec:
             - |
               set -e
 
-              apk add --no-cache openssh-keygen openssh-client > /dev/null 2>&1
+              apk add --no-cache openssh-keygen > /dev/null 2>&1
 
               ARGOCD_NS="argocd"
               REPO_SECRET="forgejo-repo"
               REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
-              FORGEJO_HOST="git.tr1ceracop.de"
+              FORGEJO_URL="https://git.tr1ceracop.de"
-              FORGEJO_SSH_PORT="222"
-              FORGEJO_URL="https://${FORGEJO_HOST}"
               REPO_OWNER="gitea_admin"
               REPO_NAME="k8s-and-chill"
-              KNOWN_HOSTS_CM="argocd-ssh-known-hosts-cm"
 
               # Wait for Forgejo to be ready
               echo "Waiting for Forgejo to be ready..."
@@ -83,61 +77,43 @@ spec:
                 sleep 5
               done
 
-              # Step 1: Add Forgejo SSH host key to ArgoCD known hosts
+              # Check if ArgoCD repo secret already exists
-              echo "Scanning Forgejo SSH host key..."
+              if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
-              HOSTKEY=$(ssh-keyscan -p "${FORGEJO_SSH_PORT}" "${FORGEJO_HOST}" 2>/dev/null | grep -v '^#' | head -1)
+                echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping"
-              if [ -z "${HOSTKEY}" ]; then
+                exit 0
-                echo "Failed to scan SSH host key"
+              fi
+
+              # Read admin credentials
+              ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
+              ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
+
+              # Generate ed25519 SSH keypair
+              KEYDIR=$(mktemp -d)
+              ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
+              PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
+              PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
+              rm -rf "${KEYDIR}"
+
+              # Register deploy key via Forgejo API
+              echo "Registering deploy key..."
+              HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
+                -X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
+                -H "Content-Type: application/json" \
+                -u "${ADMIN_USER}:${ADMIN_PASS}" \
+                -d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
+
+              if [ "${HTTP_CODE}" = "201" ]; then
+                echo "Deploy key registered successfully"
+              elif [ "${HTTP_CODE}" = "422" ]; then
+                echo "Deploy key already exists in Forgejo (422), continuing"
+              else
+                echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
+                cat /tmp/response.json
                 exit 1
               fi
-              echo "Got host key: ${HOSTKEY}"
 
-              EXISTING=$(kubectl get configmap "${KNOWN_HOSTS_CM}" -n "${ARGOCD_NS}" -o jsonpath='{.data.ssh_known_hosts}')
+              # Create ArgoCD repository secret with insecure flag (skip host key verification)
-              if echo "${EXISTING}" | grep -qF "[${FORGEJO_HOST}]:${FORGEJO_SSH_PORT}"; then
+              cat <<EOSECRET | kubectl apply -f -
-                echo "Forgejo host key already in known hosts"
-              else
-                echo "Adding Forgejo host key to ArgoCD known hosts..."
-                UPDATED=$(printf '%s\n%s\n' "${EXISTING}" "${HOSTKEY}")
-                kubectl patch configmap "${KNOWN_HOSTS_CM}" -n "${ARGOCD_NS}" \
-                  --type merge -p "{\"data\":{\"ssh_known_hosts\":$(printf '%s' "${UPDATED}" | jq -Rs .)}}"
-                echo "Added Forgejo SSH host key to known hosts"
-              fi
-
-              # Step 2: Create deploy key and repo secret (if not already done)
-              if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
-                echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping key generation"
-              else
-                # Read admin credentials
-                ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
-                ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
-
-                # Generate ed25519 SSH keypair
-                KEYDIR=$(mktemp -d)
-                ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
-                PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
-                PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
-                rm -rf "${KEYDIR}"
-
-                # Register deploy key via Forgejo API
-                echo "Registering deploy key..."
-                HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
-                  -X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
-                  -H "Content-Type: application/json" \
-                  -u "${ADMIN_USER}:${ADMIN_PASS}" \
-                  -d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
-
-                if [ "${HTTP_CODE}" = "201" ]; then
-                  echo "Deploy key registered successfully"
-                elif [ "${HTTP_CODE}" = "422" ]; then
-                  echo "Deploy key already exists in Forgejo (422), continuing"
-                else
-                  echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
-                  cat /tmp/response.json
-                  exit 1
-                fi
-
-                # Create ArgoCD repository secret with label
-                cat <<EOSECRET | kubectl apply -f -
               apiVersion: v1
               kind: Secret
               metadata:
@@ -148,14 +124,12 @@ spec:
               stringData:
                 type: git
                 url: "${REPO_URL}"
+                insecure: "true"
                 sshPrivateKey: |
               $(echo "${PRIVKEY}" | sed 's/^/            /')
               EOSECRET
 
-                echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
+              echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
-              fi
-
-              echo "Done"
           env:
             - name: NAMESPACE
               valueFrom:

rendered/envs/production/forgejo/clusterrole-argocd-deploy-key-init.yaml

@@ -13,10 +13,3 @@ rules:
     verbs:
       - get
       - create
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - patch

rendered/envs/production/forgejo/job-argocd-deploy-key-init.yaml

@@ -15,17 +15,14 @@ spec:
             - |
               set -e
 
-              apk add --no-cache openssh-keygen openssh-client > /dev/null 2>&1
+              apk add --no-cache openssh-keygen > /dev/null 2>&1
 
               ARGOCD_NS="argocd"
               REPO_SECRET="forgejo-repo"
               REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
-              FORGEJO_HOST="git.tr1ceracop.de"
+              FORGEJO_URL="https://git.tr1ceracop.de"
-              FORGEJO_SSH_PORT="222"
-              FORGEJO_URL="https://${FORGEJO_HOST}"
               REPO_OWNER="gitea_admin"
               REPO_NAME="k8s-and-chill"
-              KNOWN_HOSTS_CM="argocd-ssh-known-hosts-cm"
 
               # Wait for Forgejo to be ready
               echo "Waiting for Forgejo to be ready..."
@@ -41,61 +38,43 @@ spec:
                 sleep 5
               done
 
-              # Step 1: Add Forgejo SSH host key to ArgoCD known hosts
+              # Check if ArgoCD repo secret already exists
-              echo "Scanning Forgejo SSH host key..."
+              if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
-              HOSTKEY=$(ssh-keyscan -p "${FORGEJO_SSH_PORT}" "${FORGEJO_HOST}" 2>/dev/null | grep -v '^#' | head -1)
+                echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping"
-              if [ -z "${HOSTKEY}" ]; then
+                exit 0
-                echo "Failed to scan SSH host key"
+              fi
+
+              # Read admin credentials
+              ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
+              ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
+
+              # Generate ed25519 SSH keypair
+              KEYDIR=$(mktemp -d)
+              ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
+              PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
+              PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
+              rm -rf "${KEYDIR}"
+
+              # Register deploy key via Forgejo API
+              echo "Registering deploy key..."
+              HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
+                -X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
+                -H "Content-Type: application/json" \
+                -u "${ADMIN_USER}:${ADMIN_PASS}" \
+                -d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
+
+              if [ "${HTTP_CODE}" = "201" ]; then
+                echo "Deploy key registered successfully"
+              elif [ "${HTTP_CODE}" = "422" ]; then
+                echo "Deploy key already exists in Forgejo (422), continuing"
+              else
+                echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
+                cat /tmp/response.json
                 exit 1
               fi
-              echo "Got host key: ${HOSTKEY}"
 
-              EXISTING=$(kubectl get configmap "${KNOWN_HOSTS_CM}" -n "${ARGOCD_NS}" -o jsonpath='{.data.ssh_known_hosts}')
+              # Create ArgoCD repository secret with insecure flag (skip host key verification)
-              if echo "${EXISTING}" | grep -qF "[${FORGEJO_HOST}]:${FORGEJO_SSH_PORT}"; then
+              cat <<EOSECRET | kubectl apply -f -
-                echo "Forgejo host key already in known hosts"
-              else
-                echo "Adding Forgejo host key to ArgoCD known hosts..."
-                UPDATED=$(printf '%s\n%s\n' "${EXISTING}" "${HOSTKEY}")
-                kubectl patch configmap "${KNOWN_HOSTS_CM}" -n "${ARGOCD_NS}" \
-                  --type merge -p "{\"data\":{\"ssh_known_hosts\":$(printf '%s' "${UPDATED}" | jq -Rs .)}}"
-                echo "Added Forgejo SSH host key to known hosts"
-              fi
-
-              # Step 2: Create deploy key and repo secret (if not already done)
-              if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
-                echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping key generation"
-              else
-                # Read admin credentials
-                ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
-                ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
-
-                # Generate ed25519 SSH keypair
-                KEYDIR=$(mktemp -d)
-                ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
-                PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
-                PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
-                rm -rf "${KEYDIR}"
-
-                # Register deploy key via Forgejo API
-                echo "Registering deploy key..."
-                HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
-                  -X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
-                  -H "Content-Type: application/json" \
-                  -u "${ADMIN_USER}:${ADMIN_PASS}" \
-                  -d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
-
-                if [ "${HTTP_CODE}" = "201" ]; then
-                  echo "Deploy key registered successfully"
-                elif [ "${HTTP_CODE}" = "422" ]; then
-                  echo "Deploy key already exists in Forgejo (422), continuing"
-                else
-                  echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
-                  cat /tmp/response.json
-                  exit 1
-                fi
-
-                # Create ArgoCD repository secret with label
-                cat <<EOSECRET | kubectl apply -f -
               apiVersion: v1
               kind: Secret
               metadata:
@@ -106,14 +85,12 @@ spec:
               stringData:
                 type: git
                 url: "${REPO_URL}"
+                insecure: "true"
                 sshPrivateKey: |
               $(echo "${PRIVKEY}" | sed 's/^/            /')
               EOSECRET
 
-                echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
+              echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
-              fi
-
-              echo "Done"
           env:
             - name: NAMESPACE
               valueFrom: