security: remove secrets from git, gitignore k8s secret files

Secrets committed in prior commits (matomo-secret.yaml, secret-analytics-auth.yaml) have been scrubbed from history via filter-branch — rotate those credentials immediately. Going forward: - deploy/*-secret.yaml is gitignored; apply manually with kubectl - deploy/matomo-secret.yaml.example shows the required shape - ArgoCD ignoreDifferences on matomo-secret prevents it pruning a manually-applied secret - Remove matomo-secret.yaml from kustomization.yaml so ArgoCD never manages it again Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 21:36:46 -07:00
parent 1b7c4d92aa
commit 6905f26b56
4 changed files with 35 additions and 1 deletions
@@ -11,7 +11,6 @@ resources:
 - mariadb-deployment.yaml
 - mariadb-service.yaml
 - matomo-pvc.yaml
- matomo-secret.yaml
 - matomo-deployment.yaml
 - matomo-service.yaml
 - ingress-analytics.yaml
@@ -0,0 +1,22 @@
+# DO NOT COMMIT THE REAL VERSION OF THIS FILE.
+# deploy/matomo-secret.yaml is gitignored — apply it manually once:
+#
+#   cp deploy/matomo-secret.yaml.example deploy/matomo-secret.yaml
+#   # edit the passwords below, then:
+#   kubectl apply -f deploy/matomo-secret.yaml
+#   kubectl annotate secret matomo-secret -n solitaire \
+#     argocd.argoproj.io/sync-options=Prune=false --overwrite
+#
+# Generate strong passwords with:
+#   python3 -c "import secrets; print(secrets.token_urlsafe(18))"
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matomo-secret
+  namespace: solitaire
+stringData:
+  MYSQL_ROOT_PASSWORD: "CHANGE_ME"
+  MYSQL_DATABASE: matomo
+  MYSQL_USER: matomo
+  MYSQL_PASSWORD: "CHANGE_ME"
+  MATOMO_ADMIN_PASSWORD: "CHANGE_ME"