---
phase: 07-gitops-foundation
plan: 01
type: execute
wave: 1
depends_on: []
files_modified:
  - argocd/application.yaml
  - argocd/repo-secret.yaml
autonomous: true

must_haves:
  truths:
    - "ArgoCD can access TaskPlanner Git repository"
    - "TaskPlanner Application exists in ArgoCD"
    - "Application shows Synced status"
  artifacts:
    - path: "argocd/repo-secret.yaml"
      provides: "Repository credentials for ArgoCD"
      contains: "argocd.argoproj.io/secret-type: repository"
    - path: "argocd/application.yaml"
      provides: "ArgoCD Application manifest"
      contains: "kind: Application"
  key_links:
    - from: "argocd/application.yaml"
      to: "ArgoCD server"
      via: "kubectl apply"
      pattern: "kind: Application"
    - from: "argocd/repo-secret.yaml"
      to: "Gitea repository"
      via: "repository secret"
      pattern: "secret-type: repository"
---

<objective>
Register TaskPlanner with ArgoCD by creating repository credentials and applying the Application manifest.

Purpose: Enable GitOps workflow where ArgoCD manages TaskPlanner deployment from Git source of truth.
Output: TaskPlanner Application registered in ArgoCD showing "Synced" status.
</objective>

<execution_context>
@/home/tho/.claude/get-shit-done/workflows/execute-plan.md
@/home/tho/.claude/get-shit-done/templates/summary.md
</execution_context>

<context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/07-gitops-foundation/07-CONTEXT.md
@argocd/application.yaml
@helm/taskplaner/values.yaml
</context>

<tasks>

<task type="auto">
  <name>Task 1: Create ArgoCD repository secret for TaskPlanner</name>
  <files>argocd/repo-secret.yaml</files>
  <action>
Create a Kubernetes Secret for ArgoCD to access the TaskPlanner Gitea repository.

The secret must:
1. Be in namespace `argocd`
2. Have label `argocd.argoproj.io/secret-type: repository`
3. Use internal cluster URL: `http://gitea-http.gitea.svc.cluster.local:3000/tho/taskplaner.git`
4. Use same credentials as existing gitea-repo secret (username: admin)

Create the file `argocd/repo-secret.yaml`:
```yaml
apiVersion: v1
kind: Secret
metadata:
  name: taskplaner-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: http://gitea-http.gitea.svc.cluster.local:3000/tho/taskplaner.git
  username: admin
  password: <GET_FROM_EXISTING_SECRET>
```

Get the password from existing gitea-repo secret:
```bash
kubectl get secret gitea-repo -n argocd -o jsonpath='{.data.password}' | base64 -d
```

Apply the secret:
```bash
kubectl apply -f argocd/repo-secret.yaml
```

Note: Do NOT commit the password to Git. The file should use a placeholder or be gitignored.
Actually, create the secret directly with kubectl instead of a file with real credentials:

```bash
PASSWORD=$(kubectl get secret gitea-repo -n argocd -o jsonpath='{.data.password}' | base64 -d)
kubectl create secret generic taskplaner-repo \
  --namespace argocd \
  --from-literal=type=git \
  --from-literal=url=http://gitea-http.gitea.svc.cluster.local:3000/tho/taskplaner.git \
  --from-literal=username=admin \
  --from-literal=password="$PASSWORD" \
  --dry-run=client -o yaml | kubectl label -f - argocd.argoproj.io/secret-type=repository --local -o yaml | kubectl apply -f -
```

Or simpler approach - just apply with label:
```bash
PASSWORD=$(kubectl get secret gitea-repo -n argocd -o jsonpath='{.data.password}' | base64 -d)
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: taskplaner-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: http://gitea-http.gitea.svc.cluster.local:3000/tho/taskplaner.git
  username: admin
  password: "$PASSWORD"
EOF
```
  </action>
  <verify>
```bash
kubectl get secret taskplaner-repo -n argocd
kubectl get secret taskplaner-repo -n argocd -o jsonpath='{.metadata.labels}'
```
Should show the secret exists with repository label.
  </verify>
  <done>Secret `taskplaner-repo` exists in argocd namespace with correct labels and credentials.</done>
</task>

<task type="auto">
  <name>Task 2: Update and apply ArgoCD Application manifest</name>
  <files>argocd/application.yaml</files>
  <action>
Update `argocd/application.yaml` to:
1. Use internal Gitea URL (matches the repo secret)
2. Remove the inline registry secret (it has a placeholder that shouldn't be in Git)
3. Ensure the Application references the correct image pull secret name

Changes needed in application.yaml:
1. Change `repoURL` from `https://git.kube2.tricnet.de/tho/taskplaner.git` to `http://gitea-http.gitea.svc.cluster.local:3000/tho/taskplaner.git`
2. Remove the `---` separated Secret at the bottom (gitea-registry-secret with placeholder)
3. The helm values already reference `gitea-registry-secret` for imagePullSecrets

The registry secret needs to exist separately. Check if it exists:
```bash
kubectl get secret gitea-registry-secret -n default
```

If it doesn't exist, create it (the helm chart expects it). Get Gitea registry credentials and create:
```bash
# Create the registry secret for image pulls
kubectl create secret docker-registry gitea-registry-secret \
  --namespace default \
  --docker-server=git.kube2.tricnet.de \
  --docker-username=admin \
  --docker-password="$(kubectl get secret gitea-repo -n argocd -o jsonpath='{.data.password}' | base64 -d)"
```

Then apply the Application:
```bash
kubectl apply -f argocd/application.yaml
```
  </action>
  <verify>
```bash
kubectl get application taskplaner -n argocd
kubectl get application taskplaner -n argocd -o jsonpath='{.status.sync.status}'
```
Application should exist and show sync status.
  </verify>
  <done>ArgoCD Application `taskplaner` exists and ArgoCD begins syncing.</done>
</task>

<task type="auto">
  <name>Task 3: Wait for sync and verify healthy status</name>
  <files></files>
  <action>
Wait for ArgoCD to sync the application and verify it reaches Synced + Healthy status.

```bash
# Wait for sync (up to 5 minutes)
kubectl wait --for=jsonpath='{.status.sync.status}'=Synced application/taskplaner -n argocd --timeout=300s

# Check health status
kubectl get application taskplaner -n argocd -o jsonpath='{.status.health.status}'

# Get full status
kubectl get application taskplaner -n argocd -o wide
```

If sync fails, check:
1. ArgoCD logs: `kubectl logs -n argocd -l app.kubernetes.io/name=argocd-repo-server`
2. Application status: `kubectl describe application taskplaner -n argocd`
3. Repo connectivity: ArgoCD UI Settings -> Repositories

Common issues:
- Repo credentials incorrect: Check taskplaner-repo secret
- Helm chart errors: Check argocd-repo-server logs
- Image pull errors: Check gitea-registry-secret
  </action>
  <verify>
```bash
kubectl get application taskplaner -n argocd -o jsonpath='{.status.sync.status}'
kubectl get application taskplaner -n argocd -o jsonpath='{.status.health.status}'
```
Should output: `Synced` and `Healthy`
  </verify>
  <done>Application shows "Synced" status and "Healthy" health in ArgoCD.</done>
</task>

</tasks>

<verification>
Phase success indicators:
1. `kubectl get secret taskplaner-repo -n argocd` returns the secret
2. `kubectl get application taskplaner -n argocd` shows the application
3. Application status is Synced and Healthy
4. ArgoCD UI at argocd.kube2.tricnet.de shows TaskPlanner with green sync status
</verification>

<success_criteria>
- Repository secret created with correct labels
- Application manifest applied successfully
- ArgoCD shows TaskPlanner as Synced
- ArgoCD shows TaskPlanner as Healthy
- Requirements GITOPS-01 (already done) and GITOPS-02 satisfied
</success_criteria>

<output>
After completion, create `.planning/phases/07-gitops-foundation/07-01-SUMMARY.md`
</output>