From 0841d6bbe6a1d4dedecc1355042a3c5efb59e5be Mon Sep 17 00:00:00 2001
From: chemavx <chemavx@git.chemavx.xyz>
Date: Tue, 14 Apr 2026 20:30:36 +0000
Subject: [PATCH] fix: add CreateOnly sync option to n8n-secret to prevent
 ArgoCD from overwriting encryption key

---
 n8n/secret-n8n-secret.yaml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/n8n/secret-n8n-secret.yaml b/n8n/secret-n8n-secret.yaml
index 4a7feaa..c5637d9 100644
--- a/n8n/secret-n8n-secret.yaml
+++ b/n8n/secret-n8n-secret.yaml
@@ -4,9 +4,10 @@ metadata:
   name: n8n-secret
   namespace: n8n
   annotations:
-    argocd.argoproj.io/sync-options: "Prune=false"
-    # data managed manually — do NOT store the real value here
-    # create/update with: kubectl create secret generic n8n-secret \
-    #   --from-literal=encryption-key='<value-from-vaultwarden>' \
-    #   -n n8n --dry-run=client -o yaml | kubectl apply -f -
+    # CreateOnly: ArgoCD creates this secret if it doesn't exist but never overwrites it.
+    # Populate the key manually before first deploy:
+    #   kubectl create secret generic n8n-secret \
+    #     --from-literal=encryption-key='<value-from-vaultwarden>' \
+    #     -n n8n --dry-run=client -o yaml | kubectl apply -f -
+    argocd.argoproj.io/sync-options: "CreateOnly=true"
 type: Opaque