Jobs are immutable in Kubernetes. Without Replace=true, ArgoCD fails
to sync when it tries to update an existing Job. This annotation tells
ArgoCD to delete and recreate the Job instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Skip SSH host key verification via insecure: "true" in the repository
secret. This avoids the chicken-and-egg problem where ArgoCD syncs its
own known hosts ConfigMap and overwrites runtime patches. Remove
configmaps RBAC and ssh-keyscan logic from the init job.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Restructure the argocd-deploy-key-init job so each step (known hosts,
deploy key registration, secret creation) is independently idempotent.
Add ssh-keyscan of Forgejo host key and patch ArgoCD known hosts
ConfigMap. Use kubectl apply with inline YAML to create the repo secret
with the argocd label in a single atomic step. Switch images from
bitnami/kubectl to alpine/k8s.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Configure myks env-data with global repoURL pointing to Forgejo repo,
switch destination from cluster name to in-cluster server URL, and
disable placeholder cluster Secret generation. Add deploy key init Job
that generates an SSH keypair, registers it with Forgejo, and creates
the ArgoCD repository secret. Switch job images from bitnami/kubectl
to alpine/k8s.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
