From 651ef838ce64e7fe367fef1da25662d1588f2e36 Mon Sep 17 00:00:00 2001
From: Celes Renata <celes@frameshift.net>
Date: Sun, 19 Apr 2026 21:58:48 +0000
Subject: [PATCH] fix: add Argo Rollouts install, secrets seeding, and Kargo
 admin password fix to runmefirst.sh

---
 pipelines/runmefirst.sh | 67 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

diff --git a/pipelines/runmefirst.sh b/pipelines/runmefirst.sh
index 7a066d0..b846f4c 100755
--- a/pipelines/runmefirst.sh
+++ b/pipelines/runmefirst.sh
@@ -247,6 +247,58 @@ kubectl apply -f argocd/apps/stonks-live.yaml
 echo "  ✓ ArgoCD repo secret and Applications applied"
 echo ""
 
+# -------------------------------------------------------
+# 6b. Install Argo Rollouts (CRDs + controller for Kargo verification)
+# -------------------------------------------------------
+echo "--- Step 6b: Installing Argo Rollouts ---"
+kubectl create namespace argo-rollouts --dry-run=client -o yaml | kubectl apply -f -
+kubectl apply -n argo-rollouts -f https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml
+kubectl rollout status deployment/argo-rollouts -n argo-rollouts --timeout=120s > /dev/null 2>&1 || true
+echo "  ✓ Argo Rollouts installed (provides AnalysisRun CRD for Kargo verification)"
+echo ""
+
+# -------------------------------------------------------
+# 6c. Seed secrets for beta, paper, and live namespaces
+# -------------------------------------------------------
+echo "--- Step 6c: Seeding secrets for beta/paper/live ---"
+# These secrets are NOT managed by Helm (ArgoCD ignoreDifferences prevents overwrite).
+# Source credentials from the cluster's infrastructure services.
+REDIS_PW=$(kubectl get secret -n redis-service redis -o jsonpath='{.data.redis-password}' | base64 -d 2>/dev/null || echo "")
+MINIO_AK=$(kubectl get secret -n minio-service minio-secrets -o jsonpath='{.data.MINIO_ACCESS_KEY}' | base64 -d 2>/dev/null || echo "minioadmin")
+MINIO_SK=$(kubectl get secret -n minio-service minio-secrets -o jsonpath='{.data.MINIO_SECRET_KEY}' | base64 -d 2>/dev/null || echo "minioadmin")
+ALPACA_KEY=$(cat /root/sources/celesrenata/stonks-oracle/alpaca.key 2>/dev/null || echo "")
+ALPACA_SECRET=$(cat /root/sources/celesrenata/stonks-oracle/alpaca.secret 2>/dev/null || echo "")
+ALPACA_URL=$(cat /root/sources/celesrenata/stonks-oracle/alpaca.url 2>/dev/null || echo "https://paper-api.alpaca.markets")
+POLYGON_KEY=$(cat /root/sources/celesrenata/stonks-oracle/polygon.io.key 2>/dev/null || echo "")
+
+for ns in stonks-beta stonks-paper stonks-oracle; do
+  kubectl create secret generic stonks-core-secrets \
+    --from-literal=POSTGRES_PASSWORD='St0nks0racl3!' \
+    --from-literal=REDIS_PASSWORD="$REDIS_PW" \
+    --from-literal=MINIO_ACCESS_KEY="$MINIO_AK" \
+    --from-literal=MINIO_SECRET_KEY="$MINIO_SK" \
+    -n "$ns" --dry-run=client -o yaml | kubectl apply -f -
+  kubectl create secret generic stonks-broker-secrets \
+    --from-literal=BROKER_API_KEY="$ALPACA_KEY" \
+    --from-literal=BROKER_API_SECRET="$ALPACA_SECRET" \
+    --from-literal=BROKER_BASE_URL="$ALPACA_URL" \
+    -n "$ns" --dry-run=client -o yaml | kubectl apply -f -
+  kubectl create secret generic stonks-market-secrets \
+    --from-literal=MARKET_DATA_API_KEY="$POLYGON_KEY" \
+    -n "$ns" --dry-run=client -o yaml | kubectl apply -f -
+  kubectl create secret generic stonks-gmail-secrets \
+    --from-literal=GMAIL_SENDER='celes@celestium.life' \
+    --from-literal=GMAIL_RECIPIENT='celes@celestium.life' \
+    --from-literal=GMAIL_APP_PASSWORD='' \
+    -n "$ns" --dry-run=client -o yaml | kubectl apply -f -
+  kubectl create secret generic stonks-dashboard-secrets \
+    --from-literal=SUPERSET_SECRET_KEY='stonks-superset-key' \
+    --from-literal=SUPERSET_ADMIN_PASSWORD='St0nks0racl3!' \
+    -n "$ns" --dry-run=client -o yaml | kubectl apply -f -
+  echo "  ✓ Secrets seeded in $ns"
+done
+echo ""
+
 # -------------------------------------------------------
 # 7. Install Kargo via Helm
 # -------------------------------------------------------
@@ -289,6 +341,21 @@ for i in $(seq 1 24); do
 done
 echo "  ✓ Kargo installed"
 
+# Fix Kargo admin password — Helm chart leaves the secret empty on fresh install.
+# The hash must match the password in kargo/values.yaml (passwordHash field).
+KARGO_PW_HASH='$2b$10$juNdw96VeP/7oP3.RYPnwuUo2lk/eheAqkUqbwh16a1UH17olxyWC'
+kubectl get secret kargo-api -n kargo -o json | \
+  python3 -c "
+import sys, json, base64
+d = json.load(sys.stdin)
+d['data']['ADMIN_ACCOUNT_PASSWORD_HASH'] = base64.b64encode(b'${KARGO_PW_HASH}').decode()
+for k in ['managedFields','resourceVersion','uid','creationTimestamp']:
+    d['metadata'].pop(k, None)
+json.dump(d, sys.stdout)
+" | kubectl replace -f - > /dev/null 2>&1 || true
+kubectl delete pod -n kargo -l app.kubernetes.io/component=api --ignore-not-found > /dev/null 2>&1
+echo "  ✓ Kargo admin password configured (admin / St0nksKarg0!)"
+
 kubectl apply -f kargo/project.yaml
 kubectl apply -f kargo/project-config.yaml
 kubectl apply -f kargo/warehouse.yaml