fix: Use insecure flag for ArgoCD repo instead of known hosts patching
Skip SSH host key verification via insecure: "true" in the repository secret. This avoids the chicken-and-egg problem where ArgoCD syncs its own known hosts ConfigMap and overwrites runtime patches. Remove configmaps RBAC and ssh-keyscan logic from the init job. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Felix Wolf
parent
9d7b12896f
commit
a9e006a250
|
|
@ -18,9 +18,6 @@ rules:
|
|||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "create"]
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get", "patch"]
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
@ -57,17 +54,14 @@ spec:
|
|||
- |
|
||||
set -e
|
||||
|
||||
apk add --no-cache openssh-keygen openssh-client > /dev/null 2>&1
|
||||
apk add --no-cache openssh-keygen > /dev/null 2>&1
|
||||
|
||||
ARGOCD_NS="argocd"
|
||||
REPO_SECRET="forgejo-repo"
|
||||
REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
|
||||
FORGEJO_HOST="git.tr1ceracop.de"
|
||||
FORGEJO_SSH_PORT="222"
|
||||
FORGEJO_URL="https://${FORGEJO_HOST}"
|
||||
FORGEJO_URL="https://git.tr1ceracop.de"
|
||||
REPO_OWNER="gitea_admin"
|
||||
REPO_NAME="k8s-and-chill"
|
||||
KNOWN_HOSTS_CM="argocd-ssh-known-hosts-cm"
|
||||
|
||||
# Wait for Forgejo to be ready
|
||||
echo "Waiting for Forgejo to be ready..."
|
||||
|
|
@ -83,61 +77,43 @@ spec:
|
|||
sleep 5
|
||||
done
|
||||
|
||||
# Step 1: Add Forgejo SSH host key to ArgoCD known hosts
|
||||
echo "Scanning Forgejo SSH host key..."
|
||||
HOSTKEY=$(ssh-keyscan -p "${FORGEJO_SSH_PORT}" "${FORGEJO_HOST}" 2>/dev/null | grep -v '^#' | head -1)
|
||||
if [ -z "${HOSTKEY}" ]; then
|
||||
echo "Failed to scan SSH host key"
|
||||
# Check if ArgoCD repo secret already exists
|
||||
if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
|
||||
echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Read admin credentials
|
||||
ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
|
||||
ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
|
||||
|
||||
# Generate ed25519 SSH keypair
|
||||
KEYDIR=$(mktemp -d)
|
||||
ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
|
||||
PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
|
||||
PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
|
||||
rm -rf "${KEYDIR}"
|
||||
|
||||
# Register deploy key via Forgejo API
|
||||
echo "Registering deploy key..."
|
||||
HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
|
||||
-X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
|
||||
-H "Content-Type: application/json" \
|
||||
-u "${ADMIN_USER}:${ADMIN_PASS}" \
|
||||
-d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
|
||||
|
||||
if [ "${HTTP_CODE}" = "201" ]; then
|
||||
echo "Deploy key registered successfully"
|
||||
elif [ "${HTTP_CODE}" = "422" ]; then
|
||||
echo "Deploy key already exists in Forgejo (422), continuing"
|
||||
else
|
||||
echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
|
||||
cat /tmp/response.json
|
||||
exit 1
|
||||
fi
|
||||
echo "Got host key: ${HOSTKEY}"
|
||||
|
||||
EXISTING=$(kubectl get configmap "${KNOWN_HOSTS_CM}" -n "${ARGOCD_NS}" -o jsonpath='{.data.ssh_known_hosts}')
|
||||
if echo "${EXISTING}" | grep -qF "[${FORGEJO_HOST}]:${FORGEJO_SSH_PORT}"; then
|
||||
echo "Forgejo host key already in known hosts"
|
||||
else
|
||||
echo "Adding Forgejo host key to ArgoCD known hosts..."
|
||||
UPDATED=$(printf '%s\n%s\n' "${EXISTING}" "${HOSTKEY}")
|
||||
kubectl patch configmap "${KNOWN_HOSTS_CM}" -n "${ARGOCD_NS}" \
|
||||
--type merge -p "{\"data\":{\"ssh_known_hosts\":$(printf '%s' "${UPDATED}" | jq -Rs .)}}"
|
||||
echo "Added Forgejo SSH host key to known hosts"
|
||||
fi
|
||||
|
||||
# Step 2: Create deploy key and repo secret (if not already done)
|
||||
if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
|
||||
echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping key generation"
|
||||
else
|
||||
# Read admin credentials
|
||||
ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
|
||||
ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
|
||||
|
||||
# Generate ed25519 SSH keypair
|
||||
KEYDIR=$(mktemp -d)
|
||||
ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
|
||||
PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
|
||||
PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
|
||||
rm -rf "${KEYDIR}"
|
||||
|
||||
# Register deploy key via Forgejo API
|
||||
echo "Registering deploy key..."
|
||||
HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
|
||||
-X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
|
||||
-H "Content-Type: application/json" \
|
||||
-u "${ADMIN_USER}:${ADMIN_PASS}" \
|
||||
-d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
|
||||
|
||||
if [ "${HTTP_CODE}" = "201" ]; then
|
||||
echo "Deploy key registered successfully"
|
||||
elif [ "${HTTP_CODE}" = "422" ]; then
|
||||
echo "Deploy key already exists in Forgejo (422), continuing"
|
||||
else
|
||||
echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
|
||||
cat /tmp/response.json
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create ArgoCD repository secret with label
|
||||
cat <<EOSECRET | kubectl apply -f -
|
||||
# Create ArgoCD repository secret with insecure flag (skip host key verification)
|
||||
cat <<EOSECRET | kubectl apply -f -
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
|
|
@ -148,14 +124,12 @@ spec:
|
|||
stringData:
|
||||
type: git
|
||||
url: "${REPO_URL}"
|
||||
insecure: "true"
|
||||
sshPrivateKey: |
|
||||
$(echo "${PRIVKEY}" | sed 's/^/ /')
|
||||
EOSECRET
|
||||
|
||||
echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
|
||||
fi
|
||||
|
||||
echo "Done"
|
||||
echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
valueFrom:
|
||||
|
|
|
|||
|
|
@ -13,10 +13,3 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
- create
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
|
|
|
|||
|
|
@ -15,17 +15,14 @@ spec:
|
|||
- |
|
||||
set -e
|
||||
|
||||
apk add --no-cache openssh-keygen openssh-client > /dev/null 2>&1
|
||||
apk add --no-cache openssh-keygen > /dev/null 2>&1
|
||||
|
||||
ARGOCD_NS="argocd"
|
||||
REPO_SECRET="forgejo-repo"
|
||||
REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
|
||||
FORGEJO_HOST="git.tr1ceracop.de"
|
||||
FORGEJO_SSH_PORT="222"
|
||||
FORGEJO_URL="https://${FORGEJO_HOST}"
|
||||
FORGEJO_URL="https://git.tr1ceracop.de"
|
||||
REPO_OWNER="gitea_admin"
|
||||
REPO_NAME="k8s-and-chill"
|
||||
KNOWN_HOSTS_CM="argocd-ssh-known-hosts-cm"
|
||||
|
||||
# Wait for Forgejo to be ready
|
||||
echo "Waiting for Forgejo to be ready..."
|
||||
|
|
@ -41,61 +38,43 @@ spec:
|
|||
sleep 5
|
||||
done
|
||||
|
||||
# Step 1: Add Forgejo SSH host key to ArgoCD known hosts
|
||||
echo "Scanning Forgejo SSH host key..."
|
||||
HOSTKEY=$(ssh-keyscan -p "${FORGEJO_SSH_PORT}" "${FORGEJO_HOST}" 2>/dev/null | grep -v '^#' | head -1)
|
||||
if [ -z "${HOSTKEY}" ]; then
|
||||
echo "Failed to scan SSH host key"
|
||||
# Check if ArgoCD repo secret already exists
|
||||
if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
|
||||
echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Read admin credentials
|
||||
ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
|
||||
ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
|
||||
|
||||
# Generate ed25519 SSH keypair
|
||||
KEYDIR=$(mktemp -d)
|
||||
ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
|
||||
PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
|
||||
PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
|
||||
rm -rf "${KEYDIR}"
|
||||
|
||||
# Register deploy key via Forgejo API
|
||||
echo "Registering deploy key..."
|
||||
HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
|
||||
-X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
|
||||
-H "Content-Type: application/json" \
|
||||
-u "${ADMIN_USER}:${ADMIN_PASS}" \
|
||||
-d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
|
||||
|
||||
if [ "${HTTP_CODE}" = "201" ]; then
|
||||
echo "Deploy key registered successfully"
|
||||
elif [ "${HTTP_CODE}" = "422" ]; then
|
||||
echo "Deploy key already exists in Forgejo (422), continuing"
|
||||
else
|
||||
echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
|
||||
cat /tmp/response.json
|
||||
exit 1
|
||||
fi
|
||||
echo "Got host key: ${HOSTKEY}"
|
||||
|
||||
EXISTING=$(kubectl get configmap "${KNOWN_HOSTS_CM}" -n "${ARGOCD_NS}" -o jsonpath='{.data.ssh_known_hosts}')
|
||||
if echo "${EXISTING}" | grep -qF "[${FORGEJO_HOST}]:${FORGEJO_SSH_PORT}"; then
|
||||
echo "Forgejo host key already in known hosts"
|
||||
else
|
||||
echo "Adding Forgejo host key to ArgoCD known hosts..."
|
||||
UPDATED=$(printf '%s\n%s\n' "${EXISTING}" "${HOSTKEY}")
|
||||
kubectl patch configmap "${KNOWN_HOSTS_CM}" -n "${ARGOCD_NS}" \
|
||||
--type merge -p "{\"data\":{\"ssh_known_hosts\":$(printf '%s' "${UPDATED}" | jq -Rs .)}}"
|
||||
echo "Added Forgejo SSH host key to known hosts"
|
||||
fi
|
||||
|
||||
# Step 2: Create deploy key and repo secret (if not already done)
|
||||
if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
|
||||
echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping key generation"
|
||||
else
|
||||
# Read admin credentials
|
||||
ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
|
||||
ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
|
||||
|
||||
# Generate ed25519 SSH keypair
|
||||
KEYDIR=$(mktemp -d)
|
||||
ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
|
||||
PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
|
||||
PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
|
||||
rm -rf "${KEYDIR}"
|
||||
|
||||
# Register deploy key via Forgejo API
|
||||
echo "Registering deploy key..."
|
||||
HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
|
||||
-X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
|
||||
-H "Content-Type: application/json" \
|
||||
-u "${ADMIN_USER}:${ADMIN_PASS}" \
|
||||
-d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
|
||||
|
||||
if [ "${HTTP_CODE}" = "201" ]; then
|
||||
echo "Deploy key registered successfully"
|
||||
elif [ "${HTTP_CODE}" = "422" ]; then
|
||||
echo "Deploy key already exists in Forgejo (422), continuing"
|
||||
else
|
||||
echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
|
||||
cat /tmp/response.json
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create ArgoCD repository secret with label
|
||||
cat <<EOSECRET | kubectl apply -f -
|
||||
# Create ArgoCD repository secret with insecure flag (skip host key verification)
|
||||
cat <<EOSECRET | kubectl apply -f -
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
|
|
@ -106,14 +85,12 @@ spec:
|
|||
stringData:
|
||||
type: git
|
||||
url: "${REPO_URL}"
|
||||
insecure: "true"
|
||||
sshPrivateKey: |
|
||||
$(echo "${PRIVKEY}" | sed 's/^/ /')
|
||||
EOSECRET
|
||||
|
||||
echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
|
||||
fi
|
||||
|
||||
echo "Done"
|
||||
echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
valueFrom:
|
||||
|
|
|
|||
Loading…
Reference in a new issue