diff --git a/.gitignore b/.gitignore index a8dac76..63b8a89 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,8 @@ data/ *.jks.bak *.jks.bak* *.keystore + +# Kubernetes secrets — apply manually, never commit +deploy/matomo-secret.yaml +deploy/*-secret.yaml +deploy/*-auth-secret.yaml diff --git a/argocd/application.yaml b/argocd/application.yaml index 0893697..d62d673 100644 --- a/argocd/application.yaml +++ b/argocd/application.yaml @@ -12,6 +12,14 @@ spec: destination: server: https://kubernetes.default.svc namespace: solitaire + # Secrets are applied manually and must not be pruned by ArgoCD. + ignoreDifferences: + - group: "" + kind: Secret + name: matomo-secret + namespace: solitaire + jsonPointers: + - /data syncPolicy: automated: prune: true diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml index 8c76776..fbbfbad 100644 --- a/deploy/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -11,7 +11,6 @@ resources: - mariadb-deployment.yaml - mariadb-service.yaml - matomo-pvc.yaml -- matomo-secret.yaml - matomo-deployment.yaml - matomo-service.yaml - ingress-analytics.yaml diff --git a/deploy/matomo-secret.yaml.example b/deploy/matomo-secret.yaml.example new file mode 100644 index 0000000..f0b9a4c --- /dev/null +++ b/deploy/matomo-secret.yaml.example @@ -0,0 +1,22 @@ +# DO NOT COMMIT THE REAL VERSION OF THIS FILE. +# deploy/matomo-secret.yaml is gitignored — apply it manually once: +# +# cp deploy/matomo-secret.yaml.example deploy/matomo-secret.yaml +# # edit the passwords below, then: +# kubectl apply -f deploy/matomo-secret.yaml +# kubectl annotate secret matomo-secret -n solitaire \ +# argocd.argoproj.io/sync-options=Prune=false --overwrite +# +# Generate strong passwords with: +# python3 -c "import secrets; print(secrets.token_urlsafe(18))" +apiVersion: v1 +kind: Secret +metadata: + name: matomo-secret + namespace: solitaire +stringData: + MYSQL_ROOT_PASSWORD: "CHANGE_ME" + MYSQL_DATABASE: matomo + MYSQL_USER: matomo + MYSQL_PASSWORD: "CHANGE_ME" + MATOMO_ADMIN_PASSWORD: "CHANGE_ME"