diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-17 11:14:14 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-17 11:14:14 +0200 |
| commit | 860420cea001d8ece12dbe1c5fc1b0edf8a96953 (patch) | |
| tree | 8b20209faad2441d3eab8f2abbc8dc3a233ea3d9 | |
| parent | ab56feef59db1c28359dfb54e3225141b3dbf159 (diff) | |
Remove private SSH key from repo credentials
The ArgoCD SSH private key should not be stored in git.
Deploy it as a Kubernetes secret instead:
kubectl create secret generic git-server-repo-creds ...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
| -rw-r--r-- | f3s/argocd/git-server-repo-creds.yaml | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/f3s/argocd/git-server-repo-creds.yaml b/f3s/argocd/git-server-repo-creds.yaml index 54207bc0..b8814457 100644 --- a/f3s/argocd/git-server-repo-creds.yaml +++ b/f3s/argocd/git-server-repo-creds.yaml @@ -1,5 +1,17 @@ # ArgoCD Repository Credential for self-hosted git-server # This secret tells ArgoCD how to authenticate to the git-server via SSH +# +# IMPORTANT: Do not commit the private key to git! +# Deploy this secret manually with: +# kubectl create secret generic git-server-repo-creds \ +# --namespace=cicd \ +# --from-literal=type=git \ +# --from-literal=url=ssh://git@git-server.cicd.svc.cluster.local \ +# --from-literal=insecure=true \ +# --from-file=sshPrivateKey=/path/to/your/private-key +# kubectl label secret git-server-repo-creds -n cicd argocd.argoproj.io/secret-type=repository +# +# Or use the template below with your key injected at deploy time: apiVersion: v1 kind: Secret metadata: @@ -12,11 +24,4 @@ stringData: type: git url: ssh://git@git-server.cicd.svc.cluster.local insecure: "true" - sshPrivateKey: | - -----BEGIN OPENSSH PRIVATE KEY----- - b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW - QyNTUxOQAAACAIRE5bIG/4OUmjDzSVif7eLitZ+GW5PksuiMlBJfhHGAAAAJgGCa9qBgmv - agAAAAtzc2gtZWQyNTUxOQAAACAIRE5bIG/4OUmjDzSVif7eLitZ+GW5PksuiMlBJfhHGA - AAAEAbwYhRydHh8HlKI35Takf/1qCSvZmdJBzbngvz5Zv1bwhETlsgb/g5SaMPNJWJ/t4u - K1n4Zbk+Sy6IyUEl+EcYAAAAEmFyZ29jZEBmM3MuY2x1c3RlcgECAw== - -----END OPENSSH PRIVATE KEY----- + # sshPrivateKey: <INJECT_AT_DEPLOY_TIME> |