Switch chart repos from HTTPS to SSH for cluster egress compatibility

- Update cloudnative-pg and grafana apps to use SSH URLs - Convert repo-forge secret to repo-creds-forge credential template - The credential template matches all repos under eblume/ using URL prefix - SSH key is now added to Forgejo user (not as deploy key) for all-repo access Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 12:17:51 -08:00 · 2026-01-19 12:17:51 -08:00 · d0966ae3f6
commit d0966ae3f6
parent f27bbb49d2
4 changed files with 23 additions and 18 deletions
--- a/argocd/apps/cloudnative-pg.yaml
+++ b/argocd/apps/cloudnative-pg.yaml
@ -10,8 +10,8 @@ metadata:
 spec:
  project: default
  sources:
-    # Helm chart from forge mirror (HTTPS, public repo)
-    - repoURL: https://forge.tail8d86e.ts.net/eblume/cloudnative-pg-charts.git
+    # Helm chart from forge mirror (SSH via egress)
+    - repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/cloudnative-pg-charts.git
      targetRevision: cloudnative-pg-v0.23.0
      path: charts/cloudnative-pg
      helm:
--- a/argocd/apps/grafana.yaml
+++ b/argocd/apps/grafana.yaml
@ -13,8 +13,8 @@ metadata:
 spec:
  project: default
  sources:
-    # Helm chart from forge mirror (HTTPS, public repo)
-    - repoURL: https://forge.tail8d86e.ts.net/eblume/grafana-helm-charts.git
+    # Helm chart from forge mirror (SSH via egress)
+    - repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/grafana-helm-charts.git
      targetRevision: grafana-8.8.2
      path: charts/grafana
      helm:
--- a/argocd/manifests/argocd/README.md
+++ b/argocd/manifests/argocd/README.md
@ -5,7 +5,7 @@ GitOps continuous delivery for Kubernetes, with self-management via ArgoCD.
 ## Prerequisites

 - Tailscale operator deployed (see `argocd/manifests/tailscale-operator/README.md`)
- Deploy key added to forge for SSH access to blumeops repo
+- SSH key added to Forgejo user for access to all forge repos (not a deploy key)

 ## Manual Bootstrap

@ -28,14 +28,14 @@ kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.pas
 argocd login argocd.tail8d86e.ts.net --username admin --grpc-web
 argocd account update-password

-# 6. Apply repo-forge secret for SSH access to forge
+# 6. Apply repo-creds-forge credential template for SSH access to all forge repos
 PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
-kubectl create secret generic repo-forge -n argocd \
+kubectl create secret generic repo-creds-forge -n argocd \
  --from-literal=type=git \
-  --from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git' \
+  --from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/' \
  --from-literal=insecure=true \
  --from-literal=sshPrivateKey="$PRIV_KEY" && \
-kubectl label secret repo-forge -n argocd argocd.argoproj.io/secret-type=repository
+kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds

 # 7. Apply ArgoCD Applications (self-management + app-of-apps)
 kubectl apply -f argocd/apps/argocd.yaml
@ -103,12 +103,13 @@ spec:
 | `kustomization.yaml` | References upstream install.yaml + local customizations |
 | `service-tailscale.yaml` | Tailscale Ingress for external access with Let's Encrypt TLS |
 | `argocd-cmd-params-cm.yaml` | Patch to disable HTTPS redirect (TLS terminates at Ingress) |
-| `repo-forge-secret.yaml.tpl` | Template documenting the forge SSH secret (manual) |
+| `repo-forge-secret.yaml.tpl` | Template for forge SSH credential template (manual) |
 | `README.md` | This file |

 ## Notes

- **TODO:** Secrets (`repo-forge`) are not managed by ArgoCD and must be applied manually.
+- **TODO:** Secrets (`repo-creds-forge`) are not managed by ArgoCD and must be applied manually.
  Future improvement: integrate with a secrets operator (e.g., External Secrets).
+- The credential template (`repo-creds`) uses a URL prefix to match all repos under `eblume/`.
 - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination.
 - The `--grpc-web` flag is required for CLI access through the Tailscale ingress.
--- a/argocd/manifests/argocd/repo-forge-secret.yaml.tpl
+++ b/argocd/manifests/argocd/repo-forge-secret.yaml.tpl
@ -1,27 +1,31 @@
-# ArgoCD repository secret for forge SSH access
+# ArgoCD credential template for forge SSH access
+# This is a repo-creds (credential template) that matches ALL repos under eblume/
 #
 # IMPORTANT: Use ?ssh-format=openssh to get OpenSSH format (required by ArgoCD)
 #
+# The SSH key must be added to the Forgejo user's SSH keys (not as a deploy key)
+# so it has access to all repos owned by that user.
+#
 # Create the secret with:
 #
 #   PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
-#   kubectl create secret generic repo-forge -n argocd \
+#   kubectl create secret generic repo-creds-forge -n argocd \
 #     --from-literal=type=git \
-#     --from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git' \
+#     --from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/' \
 #     --from-literal=insecure=true \
 #     --from-literal=sshPrivateKey="$PRIV_KEY" && \
-#   kubectl label secret repo-forge -n argocd argocd.argoproj.io/secret-type=repository
+#   kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds
 #
 apiVersion: v1
 kind: Secret
 metadata:
-  name: repo-forge
+  name: repo-creds-forge
  namespace: argocd
  labels:
-    argocd.argoproj.io/secret-type: repository
+    argocd.argoproj.io/secret-type: repo-creds
 stringData:
  type: git
-  url: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git
+  url: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/
  insecure: "true"
  sshPrivateKey: |
    # Key from 1Password: op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key