# Secrets - Prerequisites

`git-pages` requires the following Kubernetes Secrets to exist before the cluster
consumers can use them. These secrets are not managed by Helm — create them manually or
via external secret management (SealedSecrets, External Secrets Operator, Vault).

TLS (`git-pages-tls`) is issued by cert-manager — not a manual prerequisite.

---

## Secret Inventory

| Secret | Keys | Consumers | Required |
|--------|------|-----------|----------|
| `git-pages-publish-auth` | `users` | Traefik Middleware `git-pages-publish-auth` | Always |
| `git-pages-retention-gitea` | `token` | CronJob `git-pages-retention` | Always |

---

## Tokens

### Publish token

Ei Gitea PAT. Satunnainen merkkijono (`GIT_PAGES_PUBLISH_TOKEN`), joka menee kahteen paikkaan:

| Paikka | Muoto |
|--------|-------|
| Kubernetes `git-pages-publish-auth` | htpasswd: `publish:<hash>` |
| Gitea Actions secret `GIT_PAGES_PUBLISH_TOKEN` | sama plaintext |

CI käyttää sitä Traefik BasicAuthiin. Ei git-kirjoitusoikeutta.

**Vienti Giteaan:** Organization or Repository → Settings → Actions → Secrets →
`GIT_PAGES_PUBLISH_TOKEN` = publish-tokenin plaintext (org secret, jos usea repo julkaisee).

### Retention token

Gitea PAT CronJobille. CronJob listaa branchit repokohtaisesti
(`GET /api/v1/repos/{owner}/{repo}/branches`) ja poistaa raportit, joiden `.meta.branch`
ei ole enää Giteassa.

Tarvitaan vain **`read:repository`**. Ei `write:repository`. Tokenin omistajan täytyy
nähdä kaikki repot, joista raportteja on levyllä.

**Ei viedä Giteaan** — vain Kubernetes Secret `git-pages-retention-gitea`.

**PAT Giteassa (read only):**

1. Kirjaudu Gitea-käyttäjällä, jolla on luku kaikkiin raporttirepoihin
2. **Settings** → **Applications** → **Generate New Token**
3. Token name: esim. `git-pages-retention`
4. Scopes: valitse vain **`read:repository`** — älä valitse `write:repository` eikä muita
5. **Generate Token** → kopioi token heti (näytetään vain kerran)
6. Aseta shelliin: `export GITEA_RETENTION_TOKEN='gitea_pat_…'`

---

## Create Secrets

```bash
NS=git-pages

# Publish
GIT_PAGES_PUBLISH_TOKEN="$(openssl rand -base64 24)"

kubectl create secret generic git-pages-publish-auth \
  --from-literal=users="$(docker run --rm httpd:2-alpine htpasswd -nb publish "$GIT_PAGES_PUBLISH_TOKEN")" \
  -n $NS

echo "Gitea Actions → GIT_PAGES_PUBLISH_TOKEN:"
echo "$GIT_PAGES_PUBLISH_TOKEN"

# Retention (PAT luotu yllä Giteassa)
kubectl create secret generic git-pages-retention-gitea \
  --from-literal=token="$GITEA_RETENTION_TOKEN" \
  -n $NS

kubectl get secrets -n $NS
```

---

## Secret Management (Production)

Secrets can be created manually with the snippets above, or migrated to a secret management
solution. The `kubectl create` blocks are the rolling source — replace them with the target
tool's equivalent when ready:

| Approach | Replaces `kubectl create` with |
|----------|-------------------------------|
| Manual rotation | Re-run the same snippets with new values |
| SealedSecrets | `kubeseal` encrypted manifest |
| External Secrets Operator | `ExternalSecret` CR pointing to the vault |
| Vault / other | Vault agent / CSI driver injection |

Structure of `docs/secrets.md` stays identical regardless of the chosen approach.