From 016e70a998f79e4e945f855b4d5d4fb0ac608e02 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Fri, 20 Mar 2026 12:59:13 +0100
Subject: [PATCH] argocd repo secret

---
 docs/OPERATIONS-RUNBOOK.md                   | 87 +++++---------------
 secrets/argocd-forte-helm-secret-sealed.yaml | 20 +++++
 2 files changed, 41 insertions(+), 66 deletions(-)
 create mode 100644 secrets/argocd-forte-helm-secret-sealed.yaml

diff --git a/docs/OPERATIONS-RUNBOOK.md b/docs/OPERATIONS-RUNBOOK.md
index 0425b0b..83eaaca 100644
--- a/docs/OPERATIONS-RUNBOOK.md
+++ b/docs/OPERATIONS-RUNBOOK.md
@@ -169,78 +169,33 @@ This creates two files:
 
 Add the private key to ArgoCD as a repository secret:
 
+Save the following file in private/ (gitignored) folder as secret.yaml
 ```bash
-# Create secret for sturdy-adventure repository
-kubectl create secret generic repo-sturdy-adventure \
-  --from-file=sshPrivateKey=argocd-deploy-key \
-  --namespace=argocd \
-  --dry-run=client -o yaml | kubectl apply -f -
-
-# Label it for ArgoCD to recognize
-kubectl label secret repo-sturdy-adventure \
-  -n argocd \
-  argocd.argoproj.io/secret-type=repository
-
-# Add repository annotations
-kubectl annotate secret repo-sturdy-adventure \
-  -n argocd \
-  managed-by=argocd.argoproj.io
+  apiVersion: v1
+  kind: Secret
+  metadata:
+    name: forte-helm-repo
+    namespace: argocd
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  stringData:
+    type: git
+    url: git@github.com:fortedigital/forte-helm.git
+    sshPrivateKey: |
+      <paste your private key here>
+    project: default
 ```
-
-Alternatively, create a complete repository secret with all metadata:
-
+Seal the secret using `kubeseal` command 
 ```bash
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: Secret
-metadata:
-  name: repo-sturdy-adventure
-  namespace: argocd
-  labels:
-    argocd.argoproj.io/secret-type: repository
-  annotations:
-    managed-by: argocd.argoproj.io
-type: Opaque
-stringData:
-  type: git
-  url: git@github.com:fortedigital/sturdy-adventure.git
-  sshPrivateKey: |
-$(cat argocd-deploy-key | sed 's/^/    /')
-EOF
+kubeseal --format=yaml \
+  --namespace=argocd \
+  < private/secret.yaml \
+  > secrets/forte-helm-repo-secret-sealed.yaml
 ```
 
 **Step 4: Register Repository in ArgoCD**
 
-Add the repository to ArgoCD's configuration:
-
-```bash
-# Via kubectl (recommended for GitOps)
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: Secret
-metadata:
-  name: repo-sturdy-adventure
-  namespace: argocd
-  labels:
-    argocd.argoproj.io/secret-type: repository
-type: Opaque
-stringData:
-  type: git
-  url: git@github.com:fortedigital/sturdy-adventure.git
-  sshPrivateKey: |
-$(cat argocd-deploy-key | sed 's/^/    /')
-  insecure: "false"
-  enableLfs: "false"
-EOF
-
-# Or via ArgoCD UI
-# 1. Open ArgoCD UI: kubectl port-forward svc/argocd-server -n argocd 8080:443
-# 2. Navigate to: Settings → Repositories → Connect Repo
-# 3. Connection Method: Via SSH
-# 4. Repository URL: git@github.com:fortedigital/sturdy-adventure.git
-# 5. SSH private key: Paste private key content
-# 6. Click "Connect"
-```
+Check in secrets/forte-helm-repo-secret-sealed.yaml and let Argo sync and create the secret.
 
 **Step 5: Verify Repository Access**
 
@@ -402,7 +357,7 @@ ssh-keygen -t ed25519 -C "argocd-sturdy-adventure" -f key-sturdy -N ""
 ssh-keygen -t ed25519 -C "argocd-helm-values" -f key-helm-values -N ""
 # Add key-helm-values.pub to: https://github.com/fortedigital/helm-values/settings/keys
 
-# 3. forte-helm is public - no key needed (use HTTPS)
+# 3. forte-helm (private helm charts repo)
 
 # Create secrets
 kubectl create secret generic repo-sturdy-adventure \
diff --git a/secrets/argocd-forte-helm-secret-sealed.yaml b/secrets/argocd-forte-helm-secret-sealed.yaml
new file mode 100644
index 0000000..9d17e84
--- /dev/null
+++ b/secrets/argocd-forte-helm-secret-sealed.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: forte-helm-repo
+  namespace: argocd
+spec:
+  encryptedData:
+    project: AgBBeKBtro27DMJ+9YFjSlvv+XWyotBojRbaDVPDfwH0MoXST9zUKZSXDgbuJ5sy8dQYhfCZgtfjcNpWbCmLoURZMm1aPa0U05bG7Hz2EnO+39qcgpH/jzEzp0AsZ9YgMafgI0EyL63RnVmvvcFT81fNe4P6vlKjz+dyhIuXbELhDjabNE+QwsLmQkty7R6isJSx42+aEGliD69FcFjlvwz75L7y2Rck1eodUVbaTX3qdG/bSFCTWawCqnj27oEn+qYwcvrS/B8MsiG8XkcmAxy3QVHAW4waBQ/6IALqBaviXunye7TOujgfn996sQWEZz9e6tVsbh1I4i/1T44rtqiot3EuFMMuYN1C6JMb53lUI9KM/TMWM3U/B/MgFR7DbXRF8/VRkBqVJFv/PZWKxTNbnYEhdPBPZojZNhHntdFZNw7l9Pr251mPI9UCU+Mc+RKtluKb+c40C9Ty1TGaV0DQ3UtA+1zbotDVGx21P7tAwplz22czu0GSUZu3nDDEPoyQoI1YG4TBvqKwuFbxJZASUglDmwyzFG15QIn03zE661ETR1ETXMbqxJR8yWmY7G5R1aNMCX9oc5l+xS6lUuUsI/fmN58VA3i82j4jEB/+oPyQ6bxsiteGXkvIz4ONxh2Ve+FmgxaDNLJNH0RHnJ7J/mJARfn43o264ONq7eTt2HuOgoP9UIsOPXuDmlBo1oZ0zxWXUEST
+    sshPrivateKey: AgBNgdWFu4x9CEgKftriZCnjSPNgV+RpAxi8/N0XawXATbQEtsMHfctTsRtwsOvaEvCehlLq7dJWRmPiuTGZ7fA2vaetoj7ppa59kHJtEO4teVcU5n64glLV5EqZbwm/nel0b5ri+otrY2zjo/tomt/7e0K30OZbe3Wghr6pDH8MrScAxO+VqgJHqqXeFayY2cC4e/mZXGu7J+FKBl3si/i6nKtKFhaqCKF+Wn4tou7wZDIdx4A+jWUxTnQquQU8IdaZof0hUNKrmmD1ayK5mJxfOBLqt9TXoTKGwkZJkdr0Pvo8tx1DqTCfpyL9Ur7B7H4G5x9n+AaD6+Iwn0eohty+NPLoy3v6JYYayZb9Foi41EzRHm+W9Cc0TcDBNTN8kR9u713n+YNuFHCaALx4iR28svfKHHjsOEzZ5688WXuph2+eLm+DW03obRDGJYi25j9URYX31LJSTMEs0rhhsUn3eeipUjQ2Fdo3xXFnALLOci0XjRd6YvuR5DN1pkj4KFcMzHvTkyM8jG9eTHGloW55zFTNtb9QkNz+x75RRpCmNlT0bKqAjxfov70K8gbSIzZ7d77iai68JQ/FnTjuL8Gx2Jyr/ltlVnql4fpv1u691SCCTvoz6aAVknn63SXdrnJ9hv+/Nb01MZhYAciYgvAAoxAOT3UOpIBnJ5h/VUacJ+Op26jtSsWrMjAtVSN2RjqzXAbVe/HONpE76vEfDHKizHEUriT7y1WoOUxcbwGIFAzSDM2OidUW/SstCNCmGQ9Whdq427X+eQIh2h+EpCPYXy3YTuWfSISgkA74bSVeX+2mHpwgo+5GPfiAQmHajdZLYTo+GAaty7VdNWTL1AEdgFkYR4TwaeR8DcLe03efg5Q1SLd1I0+kjtkVQcWsnTnchnMcXK1tvOAcNc9MY9pKNh/gW/nAnsAyfEA9opl2LFyywpeDizDdowO99meiJB7+ISS1lOI5f7xvcM6ovEcTugj4Dwv05546Zxb1ziIGbhq5kiD5FIMCPzBo0vX4XXeUa0GRIVCHRxgygi17bTMwKGKRKGusduBVbc/+OKaX5ciAtxPSq85Z6XCXSEXzajsIFkasQtm7tt44U80fAlwmgAfGdRQMF5CcEW7x5WyXVb6mZUt3GgQmPdfrP6kTgaxXGTkGsbb5bcsbf3DeoAdiJ1rJPBVX4z10cJsdRCKI+d0VwVLu59eheOajdvPxdhR+tNhJfavaUKtj7THrMJUq7WPZq4GlPQpO7S3+Q6V1e6eaSw==
+    type: AgBf+Wb64fdsnUEwpxRcWg8fRtMi8MisZOA9gm/uwA2u+OZUNh/vHO5hzjxG3NVeT+6sOM3iJJhnLHTv7nxykP//3qG/PqkVPPYPvGm5v8sd698Ga146FsOKQzga7mn8vGZ2FYyZmfq2l3ZBS2j+12M6TtXw5a4dqCtrVq5FbvBr9MBKTxpHdKnpgddxyWYxE9uSgFm+2IrT9hH7OAhke0NrQQwbDFpOI/y2xhgaIGp/E78G+8Ijwc0ofrd8XIjKWcesXD4uQqTBHZfcoanMWlSqrfXDxSRiBNVkHot1AnE8DiukL3+Dntxr6bh3bIZWvsHuNa9fQnjH6BNskYQSYopreHdujsvYDm19vqHNpkW1mTmjdimWgxX5Ot2kzcnuguA4Qn2JjpLicT2GbNIEcI6rjghTM6CATOFWmiF933uIXhDN9RlfMR/+hTLisFvnZmdsH/6byvoe39UxavtVEKsSPCa3h2FN5O2HKrccWrAZ9fQdDtIzwVMXi48rsi5sB05By2WetsUMu3JdRlM8noQ3qtrKzdtjyQIUFJcIxRkL8mKz5lkXPKjn7qlItUY5VG6dnhHQRTxYdAxn3jKMpYh0jEtloI3m3SEXhfE9JPbA4RIgNi8evnRBMKwBwEr8mU52DbB1J3gU7Gm9IOYBsOgq0U1BkzqCqIaThoUWXCNGkAG3rc7uLuyOaHHVEBLsmu+m1cE=
+    url: AgB3C9i/Ue7oHmeoLQCr8BVYIqYIT8EmrhkFjj+vjBSTynYwoFonaiPMqDJ2XewJV9WpO6wL0IYH/cK0BkhbPhjN6oQ88Qn1MkuVCjtGht1cUeOzRtSE8hdqoOKaagFb4pcgwwm8ldU7bry3KioXnz36YaU7wcddUkHVQYQOp6DvcxtjonsLUFHecDcW+qL5aVzwI3CBkn0xMrc2kRiO2q2ZjR7BNNddNUw5f1v3fYNE0PARd+bVyegSEMuBRoh1amautWEfuYoCENPqhfd9Umbs9eml/j86pj9mvkVZ2CzRt78V+C3ciMZM6QlLV+BdiPm99/igyvZScDEB/tUrMaj/K6qhMYG7r8jNBQrsg3luvTVFcC75e8aSgfRJ0QDiYmtZ5fP+8AS+l2pyRFMkbOMAk62LCqAiXuXk/vC412Lrk4NkEIxqCDnf771PTOkbXYXNlHzC2w1AZSkvPqKjIvJbLCkCxGFVBeUmlZzcCIYDeXTpIRwZsVIo+sGpjbR8soeTb8suw6GqYjgXPhXm/S1kpL6yAXfCFCXmyxntMZCuWuFPPWfwzn5GDfSJS7Hz43cuh7vwrQ78xC1wQRs7EObWNUbLIfvWEypvncYmixKY8+02SrDwzcwADimJKMxs7Bp10rkMO4HkpcFDisVyHCgBbfG3BYFo0sT5+FN6b5Bhuo6hUaCzEe9HAeSIFNuKaX5wYbY1MzsRoWOvydStoQa9KwVeZwBPzZV0VW2c3wMRT1pNN4s2THGlphw=
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        argocd.argoproj.io/secret-type: repository
+      name: forte-helm-repo
+      namespace: argocd