security: remove secrets from git, gitignore k8s secret files
Build and Deploy / build-and-push (push) Successful in 35s
Build and Deploy / build-and-push (push) Successful in 35s
Secrets committed in prior commits (matomo-secret.yaml, secret-analytics-auth.yaml) have been scrubbed from history via filter-branch — rotate those credentials immediately. Going forward: - deploy/*-secret.yaml is gitignored; apply manually with kubectl - deploy/matomo-secret.yaml.example shows the required shape - ArgoCD ignoreDifferences on matomo-secret prevents it pruning a manually-applied secret - Remove matomo-secret.yaml from kustomization.yaml so ArgoCD never manages it again Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
funman300
@@ -16,3 +16,8 @@ data/
|
|||||||
*.jks.bak
|
*.jks.bak
|
||||||
*.jks.bak*
|
*.jks.bak*
|
||||||
*.keystore
|
*.keystore
|
||||||
|
|
||||||
|
# Kubernetes secrets — apply manually, never commit
|
||||||
|
deploy/matomo-secret.yaml
|
||||||
|
deploy/*-secret.yaml
|
||||||
|
deploy/*-auth-secret.yaml
|
||||||
|
|||||||
@@ -12,6 +12,14 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
namespace: solitaire
|
namespace: solitaire
|
||||||
|
# Secrets are applied manually and must not be pruned by ArgoCD.
|
||||||
|
ignoreDifferences:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: matomo-secret
|
||||||
|
namespace: solitaire
|
||||||
|
jsonPointers:
|
||||||
|
- /data
|
||||||
syncPolicy:
|
syncPolicy:
|
||||||
automated:
|
automated:
|
||||||
prune: true
|
prune: true
|
||||||
|
|||||||
@@ -11,7 +11,6 @@ resources:
|
|||||||
- mariadb-deployment.yaml
|
- mariadb-deployment.yaml
|
||||||
- mariadb-service.yaml
|
- mariadb-service.yaml
|
||||||
- matomo-pvc.yaml
|
- matomo-pvc.yaml
|
||||||
- matomo-secret.yaml
|
|
||||||
- matomo-deployment.yaml
|
- matomo-deployment.yaml
|
||||||
- matomo-service.yaml
|
- matomo-service.yaml
|
||||||
- ingress-analytics.yaml
|
- ingress-analytics.yaml
|
||||||
|
|||||||
@@ -0,0 +1,22 @@
|
|||||||
|
# DO NOT COMMIT THE REAL VERSION OF THIS FILE.
|
||||||
|
# deploy/matomo-secret.yaml is gitignored — apply it manually once:
|
||||||
|
#
|
||||||
|
# cp deploy/matomo-secret.yaml.example deploy/matomo-secret.yaml
|
||||||
|
# # edit the passwords below, then:
|
||||||
|
# kubectl apply -f deploy/matomo-secret.yaml
|
||||||
|
# kubectl annotate secret matomo-secret -n solitaire \
|
||||||
|
# argocd.argoproj.io/sync-options=Prune=false --overwrite
|
||||||
|
#
|
||||||
|
# Generate strong passwords with:
|
||||||
|
# python3 -c "import secrets; print(secrets.token_urlsafe(18))"
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: matomo-secret
|
||||||
|
namespace: solitaire
|
||||||
|
stringData:
|
||||||
|
MYSQL_ROOT_PASSWORD: "CHANGE_ME"
|
||||||
|
MYSQL_DATABASE: matomo
|
||||||
|
MYSQL_USER: matomo
|
||||||
|
MYSQL_PASSWORD: "CHANGE_ME"
|
||||||
|
MATOMO_ADMIN_PASSWORD: "CHANGE_ME"
|
||||||
Reference in New Issue
Block a user