Fix mirror org refs in ArgoCD apps and widen credential template

After the forge mirror migration from eblume/ to mirrors/ org, ArgoCD app definitions and the repo credential template still referenced the old paths, causing ComparisonError on mirrored-chart apps. - Widen repo-creds-forge URL prefix to host-wide (matches all forge orgs) - Update 8 ArgoCD app definitions: eblume/<mirror> → mirrors/<mirror> - Fix stale alloy clone comment in Ansible defaults - Bump immich v2.5.2 → v2.5.6 (bug-fix patches) - Update README bootstrap command and credential docs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 06:49:05 -08:00 · 2026-02-25 06:49:05 -08:00 · bbf656f551
commit bbf656f551
parent 5c31b6b42a
14 changed files with 17 additions and 16 deletions
--- a/ansible/roles/alloy/defaults/main.yml
+++ b/ansible/roles/alloy/defaults/main.yml
@ -10,7 +10,7 @@
 # Build on dev machine (gilbert), then copy to indri:
 #
 # 1. Clone from forge mirror:
-#    git clone ssh://forgejo@forge.ops.eblu.me:2222/eblume/alloy.git ~/code/3rd/alloy
+#    git clone ssh://forgejo@forge.ops.eblu.me:2222/mirrors/alloy.git ~/code/3rd/alloy
 #
 # 2. Set up build tools via mise:
 #    cd ~/code/3rd/alloy && mise use go@1.25 node yarn
--- a/argocd/apps/1password-connect-ringtail.yaml
+++ b/argocd/apps/1password-connect-ringtail.yaml
@ -14,7 +14,7 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/connect-helm-charts.git
      targetRevision: connect-2.3.0
      path: charts/connect
      helm:
--- a/argocd/apps/1password-connect.yaml
+++ b/argocd/apps/1password-connect.yaml
@ -20,7 +20,7 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/connect-helm-charts.git
      targetRevision: connect-2.3.0
      path: charts/connect
      helm:
--- a/argocd/apps/cloudnative-pg.yaml
+++ b/argocd/apps/cloudnative-pg.yaml
@ -11,7 +11,7 @@ spec:
  project: default
  sources:
    # Helm chart from forge mirror (SSH via egress)
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/cloudnative-pg-charts.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/cloudnative-pg-charts.git
      targetRevision: cloudnative-pg-v0.27.1
      path: charts/cloudnative-pg
      helm:
--- a/argocd/apps/external-secrets-crds-ringtail.yaml
+++ b/argocd/apps/external-secrets-crds-ringtail.yaml
@ -11,7 +11,7 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
    targetRevision: helm-chart-2.0.0
    path: config/crds/bases
    directory:
--- a/argocd/apps/external-secrets-crds.yaml
+++ b/argocd/apps/external-secrets-crds.yaml
@ -15,7 +15,7 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
    targetRevision: helm-chart-2.0.0
    path: config/crds/bases
    directory:
--- a/argocd/apps/external-secrets-ringtail.yaml
+++ b/argocd/apps/external-secrets-ringtail.yaml
@ -13,7 +13,7 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
      targetRevision: helm-chart-2.0.0
      path: deploy/charts/external-secrets
      helm:
--- a/argocd/apps/external-secrets.yaml
+++ b/argocd/apps/external-secrets.yaml
@ -14,7 +14,7 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
      targetRevision: helm-chart-2.0.0
      path: deploy/charts/external-secrets
      helm:
--- a/argocd/apps/immich.yaml
+++ b/argocd/apps/immich.yaml
@ -19,7 +19,7 @@ spec:
  project: default
  sources:
    # Helm chart from forge mirror (SSH via egress)
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/immich-charts.git
+    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/immich-charts.git
      targetRevision: immich-0.10.3
      path: charts/immich
      helm:
--- a/argocd/manifests/argocd/README.md
+++ b/argocd/manifests/argocd/README.md
@ -32,7 +32,7 @@ argocd account update-password
 PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
 kubectl create secret generic repo-creds-forge -n argocd \
  --from-literal=type=git \
-  --from-literal=url='ssh://forgejo@forge.ops.eblu.me:2222/eblume/' \
+  --from-literal=url='ssh://forgejo@forge.ops.eblu.me:2222/' \
  --from-literal=insecure=true \
  --from-literal=sshPrivateKey="$PRIV_KEY" && \
 kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds
@ -110,6 +110,6 @@ spec:

 - **TODO:** Secrets (`repo-creds-forge`) are not managed by ArgoCD and must be applied manually.
  Future improvement: integrate with a secrets operator (e.g., External Secrets).
- The credential template (`repo-creds`) uses a URL prefix to match all repos under `eblume/`.
+- The credential template (`repo-creds`) uses a URL prefix to match all repos on forge.
 - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination.
 - The `--grpc-web` flag is required for CLI access through the Tailscale ingress.
--- a/argocd/manifests/argocd/external-secret-repo-forge.yaml
+++ b/argocd/manifests/argocd/external-secret-repo-forge.yaml
@ -8,7 +8,7 @@
 # Note: Uses a separate Secure Note item because 1Password Connect doesn't
 # support the ?ssh-format=openssh query parameter that the CLI uses.
 #
-# This is a repo-creds (credential template) that matches ALL repos under eblume/
+# This is a repo-creds (credential template) that matches ALL repos on forge
 #
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@ -29,7 +29,7 @@ spec:
          argocd.argoproj.io/secret-type: repo-creds
      data:
        type: git
-        url: "ssh://forgejo@forge.ops.eblu.me:2222/eblume/"
+        url: "ssh://forgejo@forge.ops.eblu.me:2222/"
        insecure: "true"
        sshPrivateKey: "{{ .privateKey }}"
  data:
--- a/argocd/manifests/immich/values.yaml
+++ b/argocd/manifests/immich/values.yaml
@ -16,7 +16,7 @@ controllers:
    containers:
      main:
        image:
-          tag: v2.5.2
+          tag: v2.5.6
        env:
          DB_HOSTNAME: "immich-pg-rw.databases.svc.cluster.local"
          DB_PORT: "5432"
--- a/docs/changelog.d/fix-mirror-org-refs.infra.md
+++ b/docs/changelog.d/fix-mirror-org-refs.infra.md
@ -0,0 +1 @@
+Fix ArgoCD app definitions and credential template to use `mirrors/` org after forge mirror migration; bump immich v2.5.2 → v2.5.6.
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -96,8 +96,8 @@ services:

  - name: immich
    type: argocd
-    last-reviewed: null
-    current-version: null
+    last-reviewed: 2026-02-25
+    current-version: "v2.5.6"
    upstream-source: https://github.com/immich-app/immich/releases
    notes: Deployed via Helm chart
				`@ -0,0 +1 @@`
				Fix ArgoCD app definitions and credential template to use `mirrors/` org after forge mirror migration; bump immich v2.5.2 → v2.5.6.