a9e006a250
Skip SSH host key verification via insecure: "true" in the repository secret. This avoids the chicken-and-egg problem where ArgoCD syncs its own known hosts ConfigMap and overwrites runtime patches. Remove configmaps RBAC and ssh-keyscan logic from the init job. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
104 lines
3.9 KiB
YAML
104 lines
3.9 KiB
YAML
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
name: argocd-deploy-key-init
|
|
namespace: forgejo
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
set -e
|
|
|
|
apk add --no-cache openssh-keygen > /dev/null 2>&1
|
|
|
|
ARGOCD_NS="argocd"
|
|
REPO_SECRET="forgejo-repo"
|
|
REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
|
|
FORGEJO_URL="https://git.tr1ceracop.de"
|
|
REPO_OWNER="gitea_admin"
|
|
REPO_NAME="k8s-and-chill"
|
|
|
|
# Wait for Forgejo to be ready
|
|
echo "Waiting for Forgejo to be ready..."
|
|
for i in $(seq 1 60); do
|
|
if curl -sk "${FORGEJO_URL}/api/v1/version" >/dev/null 2>&1; then
|
|
echo "Forgejo HTTPS is ready"
|
|
break
|
|
fi
|
|
if [ "$i" -eq 60 ]; then
|
|
echo "Forgejo did not become ready in time"
|
|
exit 1
|
|
fi
|
|
sleep 5
|
|
done
|
|
|
|
# Check if ArgoCD repo secret already exists
|
|
if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
|
|
echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping"
|
|
exit 0
|
|
fi
|
|
|
|
# Read admin credentials
|
|
ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
|
|
ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
|
|
|
|
# Generate ed25519 SSH keypair
|
|
KEYDIR=$(mktemp -d)
|
|
ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
|
|
PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
|
|
PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
|
|
rm -rf "${KEYDIR}"
|
|
|
|
# Register deploy key via Forgejo API
|
|
echo "Registering deploy key..."
|
|
HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
|
|
-X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
|
|
-H "Content-Type: application/json" \
|
|
-u "${ADMIN_USER}:${ADMIN_PASS}" \
|
|
-d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
|
|
|
|
if [ "${HTTP_CODE}" = "201" ]; then
|
|
echo "Deploy key registered successfully"
|
|
elif [ "${HTTP_CODE}" = "422" ]; then
|
|
echo "Deploy key already exists in Forgejo (422), continuing"
|
|
else
|
|
echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
|
|
cat /tmp/response.json
|
|
exit 1
|
|
fi
|
|
|
|
# Create ArgoCD repository secret with insecure flag (skip host key verification)
|
|
cat <<EOSECRET | kubectl apply -f -
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: ${REPO_SECRET}
|
|
namespace: ${ARGOCD_NS}
|
|
labels:
|
|
argocd.argoproj.io/secret-type: repository
|
|
stringData:
|
|
type: git
|
|
url: "${REPO_URL}"
|
|
insecure: "true"
|
|
sshPrivateKey: |
|
|
$(echo "${PRIVKEY}" | sed 's/^/ /')
|
|
EOSECRET
|
|
|
|
echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
image: alpine/k8s:1.32.3
|
|
name: init
|
|
restartPolicy: OnFailure
|
|
serviceAccountName: argocd-deploy-key-init
|
|
ttlSecondsAfterFinished: 300
|