eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/argocd
History
Erich Blume 1f73eb675d Auto-deploy docs from build workflow (#93) 
## Summary
- Add `uv` and `argocd` CLI to forgejo-runner container image
- Add `workflow-bot` ArgoCD account with sync permissions (declarative via kustomize patches)
- Add `ARGOCD_AUTH_TOKEN` to forgejo-runner external secret for workflow auth
- Update build workflow to auto-deploy docs after release:
  - Update configmap with new release URL
  - Commit changelog and configmap changes
  - Sync docs app via ArgoCD

## Deployment and Testing
Manual steps required before this can work:
1. [ ] Build and push new forgejo-runner image (v2.4.0)
2. [ ] Sync argocd app to create workflow-bot account
3. [ ] Generate token: `argocd account generate-token --account workflow-bot`
4. [ ] Store token in 1Password under "Forgejo Secrets" with field `argocd_token`
5. [ ] Sync forgejo-runner app to pick up new external secret
6. [ ] Update forgejo-runner deployment to use new image version
7. [ ] Test by running workflow manually

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/93
2026-02-03 16:58:03 -08:00
..
argocd-cm-patch.yaml Auto-deploy docs from build workflow (#93) 2026-02-03 16:58:03 -08:00
argocd-cmd-params-cm.yaml K8s Migration Phase 1: Infrastructure Setup (#29) 2026-01-19 09:49:52 -08:00
argocd-rbac-cm-patch.yaml Auto-deploy docs from build workflow (#93) 2026-02-03 16:58:03 -08:00
argocd-ssh-known-hosts-cm.yaml Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
external-secret-repo-forge.yaml Fix argocd SSH key format for 1Password Connect 2026-01-28 20:31:16 -08:00
kustomization.yaml Auto-deploy docs from build workflow (#93) 2026-02-03 16:58:03 -08:00
README.md Add Immich photo management + migrate forge URLs (#62) 2026-01-26 11:20:11 -08:00
service-tailscale.yaml Homepage dashboard improvements (#76) 2026-01-30 15:05:02 -08:00

README.md

ArgoCD

GitOps continuous delivery for Kubernetes, with self-management via ArgoCD.

Prerequisites

  • Tailscale operator deployed (see argocd/manifests/tailscale-operator/README.md)
  • SSH key added to Forgejo user for access to all forge repos (not a deploy key)

Manual Bootstrap

Bootstrap is required when setting up a new cluster. After bootstrap, ArgoCD manages itself.

# 1. Create namespace
kubectl create namespace argocd

# 2. Apply ArgoCD manifests via kustomize
kubectl apply -k argocd/manifests/argocd/

# 3. Wait for ArgoCD to be ready
kubectl wait --for=condition=available deployment/argocd-server -n argocd --timeout=300s

# 4. Get initial admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo

# 5. Login and change password
argocd login argocd.tail8d86e.ts.net --username admin --grpc-web
argocd account update-password

# 6. Apply repo-creds-forge credential template for SSH access to all forge repos
PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
kubectl create secret generic repo-creds-forge -n argocd \
  --from-literal=type=git \
  --from-literal=url='ssh://forgejo@forge.ops.eblu.me:2222/eblume/' \
  --from-literal=insecure=true \
  --from-literal=sshPrivateKey="$PRIV_KEY" && \
kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds

# 7. Apply ArgoCD Applications (self-management + app-of-apps)
kubectl apply -f argocd/apps/argocd.yaml
kubectl apply -f argocd/apps/apps.yaml

After step 7, ArgoCD manages itself and all applications defined in argocd/apps/.

Access

ArgoCD CLI Commands

# Check all applications
argocd app list

# Sync a specific application
argocd app sync <app-name>

# Check application status
argocd app get <app-name>

# Hard refresh (clear git cache)
argocd app get <app-name> --hard-refresh

Adding New Applications

  1. Create an Application manifest in argocd/apps/<app-name>.yaml
  2. Commit and push to forge
  3. ArgoCD (via app-of-apps) automatically picks it up

Example Application:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
    targetRevision: main
    path: argocd/manifests/my-app
  destination:
    server: https://kubernetes.default.svc
    namespace: my-app
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

Files

File Description
kustomization.yaml References upstream install.yaml + local customizations
service-tailscale.yaml Tailscale Ingress for external access with Let's Encrypt TLS
argocd-cmd-params-cm.yaml Patch to disable HTTPS redirect (TLS terminates at Ingress)
repo-forge-secret.yaml.tpl Template for forge SSH credential template (manual)
README.md This file

Notes

  • TODO: Secrets (repo-creds-forge) are not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).
  • The credential template (repo-creds) uses a URL prefix to match all repos under eblume/.
  • ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination.
  • The --grpc-web flag is required for CLI access through the Tailscale ingress.