diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-09 14:40:42 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-09 14:40:42 +0200 |
| commit | eae27de6c6b63a830f0ee23b155d94a9fe82c255 (patch) | |
| tree | 1127e6f994a12ddb4626f4a70045a15ef6420690 | |
| parent | e5d0610d4a0c702a68cf73200f991f607b0ee7b5 (diff) | |
Add SSH connectivity for git-server and configure ArgoCD
- Enable SYS_CHROOT capability for git-server SSH to work in containers
- Configure ArgoCD repo-server to use SSH key for git-server access
- Set DEBUG3 logging in sshd for troubleshooting (temp)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
| -rw-r--r-- | f3s/argocd/values.yaml | 18 | ||||
| -rw-r--r-- | f3s/git-server/docker-image/sshd_config | 2 | ||||
| -rw-r--r-- | f3s/git-server/helm-chart/templates/deployment.yaml | 1 |
3 files changed, 19 insertions, 2 deletions
diff --git a/f3s/argocd/values.yaml b/f3s/argocd/values.yaml index e3b6887..2d5a4c1 100644 --- a/f3s/argocd/values.yaml +++ b/f3s/argocd/values.yaml @@ -52,19 +52,35 @@ server: # Repo Server configuration (clones repos, generates manifests) repoServer: replicas: 1 + # Pod security context - fsGroup ensures secret volumes are readable by argocd user (999) + podSecurityContext: + fsGroup: 999 # Enable persistence for repo cache - mount PVC at /home/argocd/repo-cache # This avoids conflict with default /tmp mount used by ArgoCD volumes: - name: repo-server-data persistentVolumeClaim: claimName: argocd-repo-server-pvc + # SSH private key for git-server access + - name: argocd-git-ssh-key + secret: + secretName: argocd-git-ssh-key + defaultMode: 0444 volumeMounts: - name: repo-server-data mountPath: /home/argocd/repo-cache - # Configure repo-server to use the persistent cache directory + # Mount SSH key for git operations + - name: argocd-git-ssh-key + mountPath: /home/argocd/.ssh/id_ed25519 + subPath: sshPrivateKey + readOnly: true + # Configure repo-server to use the persistent cache directory and SSH key env: - name: XDG_CACHE_HOME value: /home/argocd/repo-cache + # Configure git to use SSH key and accept new host keys + - name: GIT_SSH_COMMAND + value: "ssh -i /home/argocd/.ssh/id_ed25519 -o StrictHostKeyChecking=accept-new" # Resource limits resources: limits: diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config index 7e899e0..da9ef33 100644 --- a/f3s/git-server/docker-image/sshd_config +++ b/f3s/git-server/docker-image/sshd_config @@ -28,7 +28,7 @@ PermitTunnel no # Logging SyslogFacility AUTH -LogLevel INFO +LogLevel DEBUG3 # Performance UseDNS no diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index ac2a48d..6f38d88 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -52,6 +52,7 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + add: ["SYS_CHROOT"] resources: requests: cpu: 50m |