git-pages helm chart
This commit is contained in:
moilanik
@@ -0,0 +1,96 @@
|
||||
# Secrets - Prerequisites
|
||||
|
||||
`git-pages` requires the following Kubernetes Secrets to exist before the cluster
|
||||
consumers can use them. These secrets are not managed by Helm — create them manually or
|
||||
via external secret management (SealedSecrets, External Secrets Operator, Vault).
|
||||
|
||||
TLS (`git-pages-tls`) is issued by cert-manager — not a manual prerequisite.
|
||||
|
||||
---
|
||||
|
||||
## Secret Inventory
|
||||
|
||||
| Secret | Keys | Consumers | Required |
|
||||
|--------|------|-----------|----------|
|
||||
| `git-pages-publish-auth` | `users` | Traefik Middleware `git-pages-publish-auth` | Always |
|
||||
| `git-pages-retention-gitea` | `token` | CronJob `git-pages-retention` | Always |
|
||||
|
||||
---
|
||||
|
||||
## Tokens
|
||||
|
||||
### Publish token
|
||||
|
||||
Ei Gitea PAT. Satunnainen merkkijono (`GIT_PAGES_PUBLISH_TOKEN`), joka menee kahteen paikkaan:
|
||||
|
||||
| Paikka | Muoto |
|
||||
|--------|-------|
|
||||
| Kubernetes `git-pages-publish-auth` | htpasswd: `publish:<hash>` |
|
||||
| Gitea Actions secret `GIT_PAGES_PUBLISH_TOKEN` | sama plaintext |
|
||||
|
||||
CI käyttää sitä Traefik BasicAuthiin. Ei git-kirjoitusoikeutta.
|
||||
|
||||
**Vienti Giteaan:** Organization or Repository → Settings → Actions → Secrets →
|
||||
`GIT_PAGES_PUBLISH_TOKEN` = publish-tokenin plaintext (org secret, jos usea repo julkaisee).
|
||||
|
||||
### Retention token
|
||||
|
||||
Gitea PAT CronJobille. CronJob listaa branchit repokohtaisesti
|
||||
(`GET /api/v1/repos/{owner}/{repo}/branches`) ja poistaa raportit, joiden `.meta.branch`
|
||||
ei ole enää Giteassa.
|
||||
|
||||
Tarvitaan vain **`read:repository`**. Ei `write:repository`. Tokenin omistajan täytyy
|
||||
nähdä kaikki repot, joista raportteja on levyllä.
|
||||
|
||||
**Ei viedä Giteaan** — vain Kubernetes Secret `git-pages-retention-gitea`.
|
||||
|
||||
**PAT Giteassa (read only):**
|
||||
|
||||
1. Kirjaudu Gitea-käyttäjällä, jolla on luku kaikkiin raporttirepoihin
|
||||
2. **Settings** → **Applications** → **Generate New Token**
|
||||
3. Token name: esim. `git-pages-retention`
|
||||
4. Scopes: valitse vain **`read:repository`** — älä valitse `write:repository` eikä muita
|
||||
5. **Generate Token** → kopioi token heti (näytetään vain kerran)
|
||||
6. Aseta shelliin: `export GITEA_RETENTION_TOKEN='gitea_pat_…'`
|
||||
|
||||
---
|
||||
|
||||
## Create Secrets
|
||||
|
||||
```bash
|
||||
NS=git-pages
|
||||
|
||||
# Publish
|
||||
GIT_PAGES_PUBLISH_TOKEN="$(openssl rand -base64 24)"
|
||||
|
||||
kubectl create secret generic git-pages-publish-auth \
|
||||
--from-literal=users="$(docker run --rm httpd:2-alpine htpasswd -nb publish "$GIT_PAGES_PUBLISH_TOKEN")" \
|
||||
-n $NS
|
||||
|
||||
echo "Gitea Actions → GIT_PAGES_PUBLISH_TOKEN:"
|
||||
echo "$GIT_PAGES_PUBLISH_TOKEN"
|
||||
|
||||
# Retention (PAT luotu yllä Giteassa)
|
||||
kubectl create secret generic git-pages-retention-gitea \
|
||||
--from-literal=token="$GITEA_RETENTION_TOKEN" \
|
||||
-n $NS
|
||||
|
||||
kubectl get secrets -n $NS
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Secret Management (Production)
|
||||
|
||||
Secrets can be created manually with the snippets above, or migrated to a secret management
|
||||
solution. The `kubectl create` blocks are the rolling source — replace them with the target
|
||||
tool's equivalent when ready:
|
||||
|
||||
| Approach | Replaces `kubectl create` with |
|
||||
|----------|-------------------------------|
|
||||
| Manual rotation | Re-run the same snippets with new values |
|
||||
| SealedSecrets | `kubeseal` encrypted manifest |
|
||||
| External Secrets Operator | `ExternalSecret` CR pointing to the vault |
|
||||
| Vault / other | Vault agent / CSI driver injection |
|
||||
|
||||
Structure of `docs/secrets.md` stays identical regardless of the chosen approach.
|
||||
Reference in New Issue
Block a user