From 5f9bc2034579e6420776a69969da7da02bd64fe1 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Wed, 25 Feb 2026 06:55:53 -0800 Subject: [PATCH] Fix mirror org refs in ArgoCD apps and widen credential template (#266) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Widen `repo-creds-forge` URL prefix from `/eblume/` to host-wide `/` so it matches repos in all forge orgs (fixes `mirrors/` repos not getting SSH credentials) - Update 8 ArgoCD app definitions from `eblume/` → `mirrors/` (immich-charts, cloudnative-pg-charts, external-secrets, connect-helm-charts) - Fix stale alloy clone comment in Ansible defaults - Bump immich v2.5.2 → v2.5.6 (bug-fix patches only) - Update ArgoCD README bootstrap command and credential docs ## Context Mirrors were migrated from `forge.ops.eblu.me/eblume/` to `forge.ops.eblu.me/mirrors/` in commit `cd57814`. Container Dockerfiles and image tags were updated, but ArgoCD app definitions and the repo credential template were missed, causing `ComparisonError` on apps that source Helm charts from mirrored repos. ## Deployment 1. Sync the ArgoCD `argocd` app first (picks up the widened credential template) 2. Sync the `apps` app (picks up new repo URLs for all 8 apps) 3. Verify immich resolves its ComparisonError: `argocd app get immich` 4. Sync immich to deploy v2.5.6: `argocd app sync immich` 5. Spot-check: `argocd app get external-secrets`, `argocd app get cloudnative-pg`, `argocd app get 1password-connect` Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/266 --- ansible/roles/alloy/defaults/main.yml | 2 +- argocd/apps/1password-connect-ringtail.yaml | 2 +- argocd/apps/1password-connect.yaml | 2 +- argocd/apps/cloudnative-pg.yaml | 2 +- argocd/apps/external-secrets-crds-ringtail.yaml | 2 +- argocd/apps/external-secrets-crds.yaml | 2 +- argocd/apps/external-secrets-ringtail.yaml | 2 +- argocd/apps/external-secrets.yaml | 2 +- argocd/apps/immich.yaml | 2 +- argocd/manifests/argocd/README.md | 10 ++++++---- .../argocd/external-secret-repo-forge.yaml | 17 ++++------------- argocd/manifests/immich/values.yaml | 2 +- docs/changelog.d/fix-mirror-org-refs.infra.md | 1 + service-versions.yaml | 4 ++-- 14 files changed, 23 insertions(+), 29 deletions(-) create mode 100644 docs/changelog.d/fix-mirror-org-refs.infra.md diff --git a/ansible/roles/alloy/defaults/main.yml b/ansible/roles/alloy/defaults/main.yml index 6854011..8954d87 100644 --- a/ansible/roles/alloy/defaults/main.yml +++ b/ansible/roles/alloy/defaults/main.yml @@ -10,7 +10,7 @@ # Build on dev machine (gilbert), then copy to indri: # # 1. Clone from forge mirror: -# git clone ssh://forgejo@forge.ops.eblu.me:2222/eblume/alloy.git ~/code/3rd/alloy +# git clone ssh://forgejo@forge.ops.eblu.me:2222/mirrors/alloy.git ~/code/3rd/alloy # # 2. Set up build tools via mise: # cd ~/code/3rd/alloy && mise use go@1.25 node yarn diff --git a/argocd/apps/1password-connect-ringtail.yaml b/argocd/apps/1password-connect-ringtail.yaml index 408eb23..620bfab 100644 --- a/argocd/apps/1password-connect-ringtail.yaml +++ b/argocd/apps/1password-connect-ringtail.yaml @@ -14,7 +14,7 @@ metadata: spec: project: default sources: - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git + - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/connect-helm-charts.git targetRevision: connect-2.3.0 path: charts/connect helm: diff --git a/argocd/apps/1password-connect.yaml b/argocd/apps/1password-connect.yaml index 972a467..4831868 100644 --- a/argocd/apps/1password-connect.yaml +++ b/argocd/apps/1password-connect.yaml @@ -20,7 +20,7 @@ metadata: spec: project: default sources: - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git + - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/connect-helm-charts.git targetRevision: connect-2.3.0 path: charts/connect helm: diff --git a/argocd/apps/cloudnative-pg.yaml b/argocd/apps/cloudnative-pg.yaml index 273bdc3..b26c151 100644 --- a/argocd/apps/cloudnative-pg.yaml +++ b/argocd/apps/cloudnative-pg.yaml @@ -11,7 +11,7 @@ spec: project: default sources: # Helm chart from forge mirror (SSH via egress) - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/cloudnative-pg-charts.git + - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/cloudnative-pg-charts.git targetRevision: cloudnative-pg-v0.27.1 path: charts/cloudnative-pg helm: diff --git a/argocd/apps/external-secrets-crds-ringtail.yaml b/argocd/apps/external-secrets-crds-ringtail.yaml index a23eae3..8fbc304 100644 --- a/argocd/apps/external-secrets-crds-ringtail.yaml +++ b/argocd/apps/external-secrets-crds-ringtail.yaml @@ -11,7 +11,7 @@ metadata: spec: project: default source: - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git + repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git targetRevision: helm-chart-2.0.0 path: config/crds/bases directory: diff --git a/argocd/apps/external-secrets-crds.yaml b/argocd/apps/external-secrets-crds.yaml index 985ff24..2b2178d 100644 --- a/argocd/apps/external-secrets-crds.yaml +++ b/argocd/apps/external-secrets-crds.yaml @@ -15,7 +15,7 @@ metadata: spec: project: default source: - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git + repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git targetRevision: helm-chart-2.0.0 path: config/crds/bases directory: diff --git a/argocd/apps/external-secrets-ringtail.yaml b/argocd/apps/external-secrets-ringtail.yaml index c54c51b..c7cacec 100644 --- a/argocd/apps/external-secrets-ringtail.yaml +++ b/argocd/apps/external-secrets-ringtail.yaml @@ -13,7 +13,7 @@ metadata: spec: project: default sources: - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git + - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git targetRevision: helm-chart-2.0.0 path: deploy/charts/external-secrets helm: diff --git a/argocd/apps/external-secrets.yaml b/argocd/apps/external-secrets.yaml index 91bc1bd..369bef5 100644 --- a/argocd/apps/external-secrets.yaml +++ b/argocd/apps/external-secrets.yaml @@ -14,7 +14,7 @@ metadata: spec: project: default sources: - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git + - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git targetRevision: helm-chart-2.0.0 path: deploy/charts/external-secrets helm: diff --git a/argocd/apps/immich.yaml b/argocd/apps/immich.yaml index fd76185..22b95cc 100644 --- a/argocd/apps/immich.yaml +++ b/argocd/apps/immich.yaml @@ -19,7 +19,7 @@ spec: project: default sources: # Helm chart from forge mirror (SSH via egress) - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/immich-charts.git + - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/immich-charts.git targetRevision: immich-0.10.3 path: charts/immich helm: diff --git a/argocd/manifests/argocd/README.md b/argocd/manifests/argocd/README.md index 344b1e2..615e3bb 100644 --- a/argocd/manifests/argocd/README.md +++ b/argocd/manifests/argocd/README.md @@ -30,11 +30,13 @@ argocd account update-password # 6. Apply repo-creds-forge credential template for SSH access to all forge repos PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \ +KNOWN_HOSTS=$(ssh-keyscan -p 2222 forge.ops.eblu.me 2>/dev/null | grep ssh-rsa) && \ kubectl create secret generic repo-creds-forge -n argocd \ --from-literal=type=git \ - --from-literal=url='ssh://forgejo@forge.ops.eblu.me:2222/eblume/' \ - --from-literal=insecure=true \ - --from-literal=sshPrivateKey="$PRIV_KEY" && \ + --from-literal=url='ssh://forgejo@forge.ops.eblu.me:2222/' \ + --from-literal=insecure=false \ + --from-literal=sshPrivateKey="$PRIV_KEY" \ + --from-literal=sshKnownHosts="$KNOWN_HOSTS" && \ kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds # 7. Apply ArgoCD Applications (self-management + app-of-apps) @@ -110,6 +112,6 @@ spec: - **TODO:** Secrets (`repo-creds-forge`) are not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets). -- The credential template (`repo-creds`) uses a URL prefix to match all repos under `eblume/`. +- The credential template (`repo-creds`) uses a URL prefix to match all repos on forge. - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination. - The `--grpc-web` flag is required for CLI access through the Tailscale ingress. diff --git a/argocd/manifests/argocd/external-secret-repo-forge.yaml b/argocd/manifests/argocd/external-secret-repo-forge.yaml index dbb6724..a8022ad 100644 --- a/argocd/manifests/argocd/external-secret-repo-forge.yaml +++ b/argocd/manifests/argocd/external-secret-repo-forge.yaml @@ -1,14 +1,4 @@ -# ExternalSecret for ArgoCD Forge SSH credentials -# -# Replaces the manual op inject workflow from repo-forge-secret.yaml.tpl -# -# 1Password item: "argocd-forge-ssh-key" in blumeops vault (Secure Note) -# Field: "private-key-openssh" -# -# Note: Uses a separate Secure Note item because 1Password Connect doesn't -# support the ?ssh-format=openssh query parameter that the CLI uses. -# -# This is a repo-creds (credential template) that matches ALL repos under eblume/ +# ArgoCD repo-creds template — matches all repos on forge via SSH # apiVersion: external-secrets.io/v1 kind: ExternalSecret @@ -29,9 +19,10 @@ spec: argocd.argoproj.io/secret-type: repo-creds data: type: git - url: "ssh://forgejo@forge.ops.eblu.me:2222/eblume/" - insecure: "true" + url: "ssh://forgejo@forge.ops.eblu.me:2222/" + insecure: "false" sshPrivateKey: "{{ .privateKey }}" + sshKnownHosts: "[forge.ops.eblu.me]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlGQT5w03XxlhmEiDVtGq2SkhLIZU4vYhdMey/T2tFLp7kEiOwCWgDgbBn12VDfqXTXJreykBuREqYNSx4tL4Znwap0+HjLOjTIVri8af2ZFF6IP52pcmJEOnxm/yUZhJCosu1wOZwLOoQEPBYM6sPN4OY9PFOsrsxMO2LWPJAZujPlnsfKOTsIS5iRpiT4yU7Z+oWB21rMxjZ9sXZRn8PI2MbUIs/Yazpah2XPJm2YJ7C+kqTLmld4mXQaQtHhzvPaRNB59RS8xyinuaRs618tD3DQq3Qpt8ZZKZydLVv4CIrGvjdqavt0l+4rsNGBh8dWvDR7l2Z6wo9ggDCej957+J6tInfZ82KHSW3ONdm2mUOHObUVSte2xUPlRpnIBFt3lcCapifPULE7PuN0Xdw4r+ewr+6R65RzdptqGfKyyAYsERhbq904ryNZ9fy30vH8+j9imL5AhMkCbP8S/UW49rDIdfN6MvZlX9MoBhmbrkv+kETB7qz9zaOrocEOZOE3fzB9iZxNwlXjstUnjkqi4P1yY/SKpyLC/yDCUpxC79FbCAKIJwar3C2mZaLeBGyqL31HPKOx175VsSxIbjeJX8uNO9WhbFPlcbRETeEoq+dczeU25OESCyyelGb72tTNJYObn2R8Br9NFPiwGZJX6TLlKqaE7x3D0M64ncTJQ==" data: - secretKey: privateKey remoteRef: diff --git a/argocd/manifests/immich/values.yaml b/argocd/manifests/immich/values.yaml index 5eef44d..493d9b1 100644 --- a/argocd/manifests/immich/values.yaml +++ b/argocd/manifests/immich/values.yaml @@ -16,7 +16,7 @@ controllers: containers: main: image: - tag: v2.5.2 + tag: v2.5.6 env: DB_HOSTNAME: "immich-pg-rw.databases.svc.cluster.local" DB_PORT: "5432" diff --git a/docs/changelog.d/fix-mirror-org-refs.infra.md b/docs/changelog.d/fix-mirror-org-refs.infra.md new file mode 100644 index 0000000..c0f7e0d --- /dev/null +++ b/docs/changelog.d/fix-mirror-org-refs.infra.md @@ -0,0 +1 @@ +Fix ArgoCD app definitions and credential template to use `mirrors/` org after forge mirror migration; bump immich v2.5.2 → v2.5.6. diff --git a/service-versions.yaml b/service-versions.yaml index 0e56024..40725c7 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -96,8 +96,8 @@ services: - name: immich type: argocd - last-reviewed: null - current-version: null + last-reviewed: 2026-02-25 + current-version: "v2.5.6" upstream-source: https://github.com/immich-app/immich/releases notes: Deployed via Helm chart