Conversation
merll
requested review from
Ani1357,
CasLubbers,
ElderMatt,
ferruhcihan and
j-zimnowoda
as code owners
merll
changed the title
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
j-zimnowoda
left a comment
j-zimnowoda
left a comment
There was a problem hiding this comment.
While installing the monitoring-with-team scenario I noticed the following
- The otomi-api secret is empty:
# ad 1
# k get secret -n otomi otomi-api -oyaml
apiVersion: v1
kind: Secret
metadata:
annotations:
argocd.argoproj.io/tracking-id: otomi-otomi-api:/Secret:otomi/otomi-api
creationTimestamp: "2026-06-24T13:05:43Z"
labels:
app.kubernetes.io/instance: otomi-api
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: otomi-api
app.kubernetes.io/version: "1.0"
helm.sh/chart: otomi-api-0.1.0
name: otomi-api
namespace: otomi
type: Opaque
This is where the credentials used to be inserted. Cleaning this up. |
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
j-zimnowoda
left a comment
j-zimnowoda
left a comment
There was a problem hiding this comment.
In the git-server there the 401 error is logged every second.
2026/06/25 07:03:51 GET /otomi/values.git/info/refs 401 127.0.0.6:57259
I am not sure which actor is doing it.
I can confirm it is apl-operator. I see the same in Gitea in the previous release. Something worth looking at, but cannot be a critical issue. |
Ok. I recorded it as a follow-up ticket: APL-1966 |
Co-authored-by: svcAPLBot <174728082+svcAPLBot@users.noreply.github.com> Co-authored-by: jeho <17126497+j-zimnowoda@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
📌 Summary
This PR removes the Git credentials from the values store as well as the Helm chart. Instead, Git credentials are stored exclusively in a Secret (apl-secrets/apl-git-config). The ConfigMap (with non-sensitive data as repository url) has been merged into this secret to ensure consistency.
For minimizing impact in templates,
otomi.gitin the values is populated with the repo URL, branch, and email data.Note that otomi-api also no longer takes these values in environment variables, but instead reads and writes aforementioned Secret directly.
🔍 Reviewer Notes
Requires testing with linode/apl-api#1018
Currently still breaks when Gitea is used in addition to an external repository, as Gitea admin password is not separated cleanly from internal Git credentials.
🧹 Checklist