diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-09 14:40:42 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-09 19:40:51 +0200 |
| commit | 723ebbc6ee9a33462a64bad622f5fbf98353555e (patch) | |
| tree | 3faf0758bf705a9f50d169e69e1fe380c8088b55 | |
| parent | 9bcf2d3961c68ebb4ac4d44af0027391f3cf251d (diff) | |
Add SSH connectivity for git-server and configure ArgoCD
- Enable SYS_CHROOT capability for git-server SSH to work in containers
- Configure ArgoCD repo-server to use SSH key for git-server access
- Set DEBUG3 logging in sshd for troubleshooting (temp)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
| -rw-r--r-- | f3s/argocd/values.yaml | 18 | ||||
| -rw-r--r-- | f3s/git-server/docker-image/sshd_config | 2 | ||||
| -rw-r--r-- | f3s/git-server/helm-chart/templates/deployment.yaml | 1 |
3 files changed, 19 insertions, 2 deletions
diff --git a/f3s/argocd/values.yaml b/f3s/argocd/values.yaml index e3b6887..2d5a4c1 100644 --- a/f3s/argocd/values.yaml +++ b/f3s/argocd/values.yaml @@ -52,19 +52,35 @@ server: # Repo Server configuration (clones repos, generates manifests) repoServer: replicas: 1 + # Pod security context - fsGroup ensures secret volumes are readable by argocd user (999) + podSecurityContext: + fsGroup: 999 # Enable persistence for repo cache - mount PVC at /home/argocd/repo-cache # This avoids conflict with default /tmp mount used by ArgoCD volumes: - name: repo-server-data persistentVolumeClaim: claimName: argocd-repo-server-pvc + # SSH private key for git-server access + - name: argocd-git-ssh-key + secret: + secretName: argocd-git-ssh-key + defaultMode: 0444 volumeMounts: - name: repo-server-data mountPath: /home/argocd/repo-cache - # Configure repo-server to use the persistent cache directory + # Mount SSH key for git operations + - name: argocd-git-ssh-key + mountPath: /home/argocd/.ssh/id_ed25519 + subPath: sshPrivateKey + readOnly: true + # Configure repo-server to use the persistent cache directory and SSH key env: - name: XDG_CACHE_HOME value: /home/argocd/repo-cache + # Configure git to use SSH key and accept new host keys + - name: GIT_SSH_COMMAND + value: "ssh -i /home/argocd/.ssh/id_ed25519 -o StrictHostKeyChecking=accept-new" # Resource limits resources: limits: diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config index 7e899e0..da9ef33 100644 --- a/f3s/git-server/docker-image/sshd_config +++ b/f3s/git-server/docker-image/sshd_config @@ -28,7 +28,7 @@ PermitTunnel no # Logging SyslogFacility AUTH -LogLevel INFO +LogLevel DEBUG3 # Performance UseDNS no diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index ac2a48d..6f38d88 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -52,6 +52,7 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + add: ["SYS_CHROOT"] resources: requests: cpu: 50m |