From 6905f26b56bc8aed17c6b77ddceb99bf4328fbdc Mon Sep 17 00:00:00 2001 From: funman300 Date: Wed, 13 May 2026 21:36:46 -0700 Subject: [PATCH] security: remove secrets from git, gitignore k8s secret files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Secrets committed in prior commits (matomo-secret.yaml, secret-analytics-auth.yaml) have been scrubbed from history via filter-branch — rotate those credentials immediately. Going forward: - deploy/*-secret.yaml is gitignored; apply manually with kubectl - deploy/matomo-secret.yaml.example shows the required shape - ArgoCD ignoreDifferences on matomo-secret prevents it pruning a manually-applied secret - Remove matomo-secret.yaml from kustomization.yaml so ArgoCD never manages it again Co-Authored-By: Claude Sonnet 4.6 --- .gitignore | 5 +++++ argocd/application.yaml | 8 ++++++++ deploy/kustomization.yaml | 1 - deploy/matomo-secret.yaml.example | 22 ++++++++++++++++++++++ 4 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 deploy/matomo-secret.yaml.example diff --git a/.gitignore b/.gitignore index a8dac76..63b8a89 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,8 @@ data/ *.jks.bak *.jks.bak* *.keystore + +# Kubernetes secrets — apply manually, never commit +deploy/matomo-secret.yaml +deploy/*-secret.yaml +deploy/*-auth-secret.yaml diff --git a/argocd/application.yaml b/argocd/application.yaml index 0893697..d62d673 100644 --- a/argocd/application.yaml +++ b/argocd/application.yaml @@ -12,6 +12,14 @@ spec: destination: server: https://kubernetes.default.svc namespace: solitaire + # Secrets are applied manually and must not be pruned by ArgoCD. + ignoreDifferences: + - group: "" + kind: Secret + name: matomo-secret + namespace: solitaire + jsonPointers: + - /data syncPolicy: automated: prune: true diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml index 8c76776..fbbfbad 100644 --- a/deploy/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -11,7 +11,6 @@ resources: - mariadb-deployment.yaml - mariadb-service.yaml - matomo-pvc.yaml -- matomo-secret.yaml - matomo-deployment.yaml - matomo-service.yaml - ingress-analytics.yaml diff --git a/deploy/matomo-secret.yaml.example b/deploy/matomo-secret.yaml.example new file mode 100644 index 0000000..f0b9a4c --- /dev/null +++ b/deploy/matomo-secret.yaml.example @@ -0,0 +1,22 @@ +# DO NOT COMMIT THE REAL VERSION OF THIS FILE. +# deploy/matomo-secret.yaml is gitignored — apply it manually once: +# +# cp deploy/matomo-secret.yaml.example deploy/matomo-secret.yaml +# # edit the passwords below, then: +# kubectl apply -f deploy/matomo-secret.yaml +# kubectl annotate secret matomo-secret -n solitaire \ +# argocd.argoproj.io/sync-options=Prune=false --overwrite +# +# Generate strong passwords with: +# python3 -c "import secrets; print(secrets.token_urlsafe(18))" +apiVersion: v1 +kind: Secret +metadata: + name: matomo-secret + namespace: solitaire +stringData: + MYSQL_ROOT_PASSWORD: "CHANGE_ME" + MYSQL_DATABASE: matomo + MYSQL_USER: matomo + MYSQL_PASSWORD: "CHANGE_ME" + MATOMO_ADMIN_PASSWORD: "CHANGE_ME"