gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
k8s-and-chill/rendered/envs/production/forgejo/job-argocd-deploy-key-init.yaml
Felix Wolf bf0cf0a11d fix(forgejo): force-replace argocd-deploy-key-init Job 
Replace=true alone uses kubectl replace, which rejects updates on Job
immutable fields (spec.selector, spec.template.metadata.labels) when
the cluster already has a Job with auto-generated values. Add Force=true
so ArgoCD does kubectl replace --force (delete + recreate).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 00:05:45 +02:00

115 lines
4.5 KiB
YAML
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
argocd.argoproj.io/sync-options: Replace=true,Force=true
argocd.argoproj.io/sync-wave: "1"
name: argocd-deploy-key-init
namespace: forgejo
spec:
template:
spec:
containers:
- command:
- sh
- -c
- |
set -e
ARGOCD_NS="argocd"
REPO_SECRET="forgejo-repo"
REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
FORGEJO_URL="https://git.tr1ceracop.de"
REPO_OWNER="gitea_admin"
REPO_NAME="k8s-and-chill"
# Check if ArgoCD repo secret already exists
if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping"
exit 0
fi
# Wait for mittwald to populate the keypair and admin secrets
echo "Waiting for forgejo-repo-keypair to be populated..."
for i in $(seq 1 60); do
PRIV_B64=$(kubectl get secret forgejo-repo-keypair -n "${NAMESPACE}" -o jsonpath='{.data.ssh-privatekey}' 2>/dev/null || true)
PUB_B64=$(kubectl get secret forgejo-repo-keypair -n "${NAMESPACE}" -o jsonpath='{.data.ssh-publickey}' 2>/dev/null || true)
if [ -n "${PRIV_B64}" ] && [ -n "${PUB_B64}" ]; then
break
fi
if [ "$i" -eq 60 ]; then
echo "forgejo-repo-keypair was not populated in time"
exit 1
fi
sleep 5
done
# Wait for Forgejo to be ready
echo "Waiting for Forgejo to be ready..."
for i in $(seq 1 60); do
if curl -sk "${FORGEJO_URL}/api/v1/version" >/dev/null 2>&1; then
echo "Forgejo HTTPS is ready"
break
fi
if [ "$i" -eq 60 ]; then
echo "Forgejo did not become ready in time"
exit 1
fi
sleep 5
done
# Read admin credentials
ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)
PRIVKEY=$(echo "${PRIV_B64}" | base64 -d)
PUBKEY=$(echo "${PUB_B64}" | base64 -d)
# Register deploy key via Forgejo API
echo "Registering deploy key..."
HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
-X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
-H "Content-Type: application/json" \
-u "${ADMIN_USER}:${ADMIN_PASS}" \
-d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")
if [ "${HTTP_CODE}" = "201" ]; then
echo "Deploy key registered successfully"
elif [ "${HTTP_CODE}" = "422" ]; then
echo "Deploy key already exists in Forgejo (422), continuing"
else
echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
cat /tmp/response.json
exit 1
fi
# Create ArgoCD repository secret with insecure flag (skip host key verification)
cat <<EOSECRET | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: ${REPO_SECRET}
namespace: ${ARGOCD_NS}
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: git
url: "${REPO_URL}"
insecure: "true"
sshPrivateKey: |
$(echo "${PRIVKEY}" | sed 's/^/ /')
EOSECRET
echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: alpine/k8s:1.32.3
name: init
restartPolicy: OnFailure
serviceAccountName: argocd-deploy-key-init
ttlSecondsAfterFinished: 300
Reference in a new issue View git blame Copy permalink