Fix mirror org refs in ArgoCD apps and widen credential template (#266)

## Summary - Widen `repo-creds-forge` URL prefix from `/eblume/` to host-wide `/` so it matches repos in all forge orgs (fixes `mirrors/` repos not getting SSH credentials) - Update 8 ArgoCD app definitions from `eblume/<mirror>` → `mirrors/<mirror>` (immich-charts, cloudnative-pg-charts, external-secrets, connect-helm-charts) - Fix stale alloy clone comment in Ansible defaults - Bump immich v2.5.2 → v2.5.6 (bug-fix patches only) - Update ArgoCD README bootstrap command and credential docs ## Context Mirrors were migrated from `forge.ops.eblu.me/eblume/` to `forge.ops.eblu.me/mirrors/` in commit `cd57814`. Container Dockerfiles and image tags were updated, but ArgoCD app definitions and the repo credential template were missed, causing `ComparisonError` on apps that source Helm charts from mirrored repos. ## Deployment 1. Sync the ArgoCD `argocd` app first (picks up the widened credential template) 2. Sync the `apps` app (picks up new repo URLs for all 8 apps) 3. Verify immich resolves its ComparisonError: `argocd app get immich` 4. Sync immich to deploy v2.5.6: `argocd app sync immich` 5. Spot-check: `argocd app get external-secrets`, `argocd app get cloudnative-pg`, `argocd app get 1password-connect` Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/266
2026-02-25 06:55:53 -08:00 · 2026-02-25 06:55:53 -08:00 · 5f9bc20345
commit 5f9bc20345
parent 5c31b6b42a
14 changed files with 23 additions and 29 deletions
--- a/ansible/roles/alloy/defaults/main.yml
+++ b/ansible/roles/alloy/defaults/main.yml
@ -10,7 +10,7 @@
 # Build on dev machine (gilbert), then copy to indri:
 #
 # 1. Clone from forge mirror:
-#    git clone ssh://forgejo@forge.ops.eblu.me:2222/eblume/alloy.git ~/code/3rd/alloy
+#    git clone ssh://forgejo@forge.ops.eblu.me:2222/mirrors/alloy.git ~/code/3rd/alloy
 #
 # 2. Set up build tools via mise:
 #    cd ~/code/3rd/alloy && mise use go@1.25 node yarn
--- a/argocd/apps/1password-connect-ringtail.yaml
+++ b/argocd/apps/1password-connect-ringtail.yaml
@ -14,7 +14,7 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/connect-helm-charts.git
      targetRevision: connect-2.3.0
      path: charts/connect
      helm:
--- a/argocd/apps/1password-connect.yaml
+++ b/argocd/apps/1password-connect.yaml
@ -20,7 +20,7 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/connect-helm-charts.git
      targetRevision: connect-2.3.0
      path: charts/connect
      helm:
--- a/argocd/apps/cloudnative-pg.yaml
+++ b/argocd/apps/cloudnative-pg.yaml
@ -11,7 +11,7 @@ spec:
  project: default
  sources:
    # Helm chart from forge mirror (SSH via egress)
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/cloudnative-pg-charts.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/cloudnative-pg-charts.git
      targetRevision: cloudnative-pg-v0.27.1
      path: charts/cloudnative-pg
      helm:
--- a/argocd/apps/external-secrets-crds-ringtail.yaml
+++ b/argocd/apps/external-secrets-crds-ringtail.yaml
@ -11,7 +11,7 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
    targetRevision: helm-chart-2.0.0
    path: config/crds/bases
    directory:
--- a/argocd/apps/external-secrets-crds.yaml
+++ b/argocd/apps/external-secrets-crds.yaml
@ -15,7 +15,7 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
    targetRevision: helm-chart-2.0.0
    path: config/crds/bases
    directory:
--- a/argocd/apps/external-secrets-ringtail.yaml
+++ b/argocd/apps/external-secrets-ringtail.yaml
@ -13,7 +13,7 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
      targetRevision: helm-chart-2.0.0
      path: deploy/charts/external-secrets
      helm:
--- a/argocd/apps/external-secrets.yaml
+++ b/argocd/apps/external-secrets.yaml
@ -14,7 +14,7 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
      targetRevision: helm-chart-2.0.0
      path: deploy/charts/external-secrets
      helm:
--- a/argocd/apps/immich.yaml
+++ b/argocd/apps/immich.yaml
@ -19,7 +19,7 @@ spec:
  project: default
  sources:
    # Helm chart from forge mirror (SSH via egress)
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/immich-charts.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/immich-charts.git
      targetRevision: immich-0.10.3
      path: charts/immich
      helm:
--- a/argocd/manifests/argocd/README.md
+++ b/argocd/manifests/argocd/README.md
@ -30,11 +30,13 @@ argocd account update-password
 # 6. Apply repo-creds-forge credential template for SSH access to all forge repos
 PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
 KNOWN_HOSTS=$(ssh-keyscan -p 2222 forge.ops.eblu.me 2>/dev/null | grep ssh-rsa) && \
 kubectl create secret generic repo-creds-forge -n argocd \
  --from-literal=type=git \
-  --from-literal=url='ssh://forgejo@forge.ops.eblu.me:2222/eblume/' \
+  --from-literal=url='ssh://forgejo@forge.ops.eblu.me:2222/' \
-  --from-literal=insecure=true \
+  --from-literal=insecure=false \
-  --from-literal=sshPrivateKey="$PRIV_KEY" && \
+  --from-literal=sshPrivateKey="$PRIV_KEY" \
  --from-literal=sshKnownHosts="$KNOWN_HOSTS" && \
 kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds
 # 7. Apply ArgoCD Applications (self-management + app-of-apps)
@ -110,6 +112,6 @@ spec:
 - **TODO:** Secrets (`repo-creds-forge`) are not managed by ArgoCD and must be applied manually.
  Future improvement: integrate with a secrets operator (e.g., External Secrets).
- The credential template (`repo-creds`) uses a URL prefix to match all repos under `eblume/`.
+- The credential template (`repo-creds`) uses a URL prefix to match all repos on forge.
 - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination.
 - The `--grpc-web` flag is required for CLI access through the Tailscale ingress.
--- a/argocd/manifests/argocd/external-secret-repo-forge.yaml
+++ b/argocd/manifests/argocd/external-secret-repo-forge.yaml
@ -1,14 +1,4 @@
-# ExternalSecret for ArgoCD Forge SSH credentials
+# ArgoCD repo-creds template — matches all repos on forge via SSH
 #
 # Replaces the manual op inject workflow from repo-forge-secret.yaml.tpl
 #
 # 1Password item: "argocd-forge-ssh-key" in blumeops vault (Secure Note)
 # Field: "private-key-openssh"
 #
 # Note: Uses a separate Secure Note item because 1Password Connect doesn't
 # support the ?ssh-format=openssh query parameter that the CLI uses.
 #
 # This is a repo-creds (credential template) that matches ALL repos under eblume/
 #
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@ -29,9 +19,10 @@ spec:
          argocd.argoproj.io/secret-type: repo-creds
      data:
        type: git
-        url: "ssh://forgejo@forge.ops.eblu.me:2222/eblume/"
+        url: "ssh://forgejo@forge.ops.eblu.me:2222/"
-        insecure: "true"
+        insecure: "false"
        sshPrivateKey: "{{ .privateKey }}"
        sshKnownHosts: "[forge.ops.eblu.me]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlGQT5w03XxlhmEiDVtGq2SkhLIZU4vYhdMey/T2tFLp7kEiOwCWgDgbBn12VDfqXTXJreykBuREqYNSx4tL4Znwap0+HjLOjTIVri8af2ZFF6IP52pcmJEOnxm/yUZhJCosu1wOZwLOoQEPBYM6sPN4OY9PFOsrsxMO2LWPJAZujPlnsfKOTsIS5iRpiT4yU7Z+oWB21rMxjZ9sXZRn8PI2MbUIs/Yazpah2XPJm2YJ7C+kqTLmld4mXQaQtHhzvPaRNB59RS8xyinuaRs618tD3DQq3Qpt8ZZKZydLVv4CIrGvjdqavt0l+4rsNGBh8dWvDR7l2Z6wo9ggDCej957+J6tInfZ82KHSW3ONdm2mUOHObUVSte2xUPlRpnIBFt3lcCapifPULE7PuN0Xdw4r+ewr+6R65RzdptqGfKyyAYsERhbq904ryNZ9fy30vH8+j9imL5AhMkCbP8S/UW49rDIdfN6MvZlX9MoBhmbrkv+kETB7qz9zaOrocEOZOE3fzB9iZxNwlXjstUnjkqi4P1yY/SKpyLC/yDCUpxC79FbCAKIJwar3C2mZaLeBGyqL31HPKOx175VsSxIbjeJX8uNO9WhbFPlcbRETeEoq+dczeU25OESCyyelGb72tTNJYObn2R8Br9NFPiwGZJX6TLlKqaE7x3D0M64ncTJQ=="
  data:
  - secretKey: privateKey
    remoteRef:
--- a/argocd/manifests/immich/values.yaml
+++ b/argocd/manifests/immich/values.yaml
@ -16,7 +16,7 @@ controllers:
    containers:
      main:
        image:
-          tag: v2.5.2
+          tag: v2.5.6
        env:
          DB_HOSTNAME: "immich-pg-rw.databases.svc.cluster.local"
          DB_PORT: "5432"
--- a/docs/changelog.d/fix-mirror-org-refs.infra.md
+++ b/docs/changelog.d/fix-mirror-org-refs.infra.md
@ -0,0 +1 @@
 Fix ArgoCD app definitions and credential template to use `mirrors/` org after forge mirror migration; bump immich v2.5.2 → v2.5.6.
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -96,8 +96,8 @@ services:
  - name: immich
    type: argocd
-    last-reviewed: null
+    last-reviewed: 2026-02-25
-    current-version: null
+    current-version: "v2.5.6"
    upstream-source: https://github.com/immich-app/immich/releases
    notes: Deployed via Helm chart
		`@ -0,0 +1 @@`
							Fix ArgoCD app definitions and credential template to use `mirrors/` org after forge mirror migration; bump immich v2.5.2 → v2.5.6.