2026-02-13 10:29:24 -08:00
4 changed files with 13 additions and 13 deletions
--- a/argocd/manifests/forgejo-runner/configmap.yaml
+++ b/argocd/manifests/forgejo-runner/configmap.yaml
@ -18,7 +18,7 @@ data:
        TZ: America/Los_Angeles

    container:
-      # Job execution image is set via RUNNER_LABELS in external-secret.yaml
+      # Job execution image is set via RUNNER_LABELS in deployment.yaml
      network: "host"
      # Connect to DinD sidecar via TCP (not socket)
      docker_host: tcp://127.0.0.1:2375
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@ -24,6 +24,12 @@ spec:
              value: America/Los_Angeles
            - name: DOCKER_HOST
              value: tcp://localhost:2375
+            - name: FORGEJO_URL
+              value: "https://forge.ops.eblu.me"
+            - name: RUNNER_NAME
+              value: "k8s-runner"
+            - name: RUNNER_LABELS
+              value: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v3.1.0"
          command:
            - /bin/sh
            - -c
--- a/argocd/manifests/forgejo-runner/external-secret.yaml
+++ b/argocd/manifests/forgejo-runner/external-secret.yaml
@ -1,12 +1,11 @@
-# ExternalSecret for Forgejo Runner environment
-#
-# Replaces the manual op inject workflow from secret.yaml.tpl
+# ExternalSecret for Forgejo Runner token
 #
 # 1Password item: "Forgejo Secrets" in blumeops vault
 # Field: runner_reg (runner registration token)
 #
-# Note: Static values (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) are included
-# via template since they don't need to be in 1Password.
+# Non-secret env vars (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) live in the
+# deployment spec so that changes (e.g. image version bumps) trigger a rollout
+# automatically.
 #
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@ -21,14 +20,8 @@ spec:
  target:
    name: forgejo-runner-env
    creationPolicy: Owner
-    template:
-      data:
-        FORGEJO_URL: "https://forge.ops.eblu.me"
-        RUNNER_NAME: "k8s-runner"
-        RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v3.1.0"
-        RUNNER_TOKEN: "{{ .runner_token }}"
  data:
-  - secretKey: runner_token
+  - secretKey: RUNNER_TOKEN
    remoteRef:
      key: Forgejo Secrets
      property: runner_reg
--- a/docs/changelog.d/feature-runner-env-refactor.infra.md
+++ b/docs/changelog.d/feature-runner-env-refactor.infra.md
@ -0,0 +1 @@
+Move non-secret forgejo-runner env vars from ExternalSecret to deployment spec so version bumps trigger automatic rollouts
				`@ -0,0 +1 @@`
				`Move non-secret forgejo-runner env vars from ExternalSecret to deployment spec so version bumps trigger automatic rollouts`