moilanik
3.2 KiB
Secrets - Prerequisites
git-pages requires the following Kubernetes Secrets to exist before the cluster
consumers can use them. These secrets are not managed by Helm — create them manually or
via external secret management (SealedSecrets, External Secrets Operator, Vault).
TLS (git-pages-tls) is issued by cert-manager — not a manual prerequisite.
Secret Inventory
| Secret | Keys | Consumers | Required |
|---|---|---|---|
git-pages-publish-auth |
users |
Traefik Middleware git-pages-publish-auth |
Always |
git-pages-retention-gitea |
token |
CronJob git-pages-retention |
Always |
Tokens
Publish token
Ei Gitea PAT. Satunnainen merkkijono (GIT_PAGES_PUBLISH_TOKEN), joka menee kahteen paikkaan:
| Paikka | Muoto |
|---|---|
Kubernetes git-pages-publish-auth |
htpasswd: publish:<hash> |
Gitea Actions secret GIT_PAGES_PUBLISH_TOKEN |
sama plaintext |
CI käyttää sitä Traefik BasicAuthiin. Ei git-kirjoitusoikeutta.
Vienti Giteaan: Organization or Repository → Settings → Actions → Secrets →
GIT_PAGES_PUBLISH_TOKEN = publish-tokenin plaintext (org secret, jos usea repo julkaisee).
Retention token
Gitea PAT CronJobille. CronJob listaa branchit repokohtaisesti
(GET /api/v1/repos/{owner}/{repo}/branches) ja poistaa raportit, joiden .meta.branch
ei ole enää Giteassa.
Tarvitaan vain read:repository. Ei write:repository. Tokenin omistajan täytyy
nähdä kaikki repot, joista raportteja on levyllä.
Ei viedä Giteaan — vain Kubernetes Secret git-pages-retention-gitea.
PAT Giteassa (read only):
- Kirjaudu Gitea-käyttäjällä, jolla on luku kaikkiin raporttirepoihin
- Settings → Applications → Generate New Token
- Token name: esim.
git-pages-retention - Scopes: valitse vain
read:repository— älä valitsewrite:repositoryeikä muita - Generate Token → kopioi token heti (näytetään vain kerran)
- Aseta shelliin:
export GITEA_RETENTION_TOKEN='gitea_pat_…'
Create Secrets
NS=git-pages
# Publish
GIT_PAGES_PUBLISH_TOKEN="$(openssl rand -base64 24)"
kubectl create secret generic git-pages-publish-auth \
--from-literal=users="$(docker run --rm httpd:2-alpine htpasswd -nb publish "$GIT_PAGES_PUBLISH_TOKEN")" \
-n $NS
echo "Gitea Actions → GIT_PAGES_PUBLISH_TOKEN:"
echo "$GIT_PAGES_PUBLISH_TOKEN"
# Retention (PAT luotu yllä Giteassa)
kubectl create secret generic git-pages-retention-gitea \
--from-literal=token="$GITEA_RETENTION_TOKEN" \
-n $NS
kubectl get secrets -n $NS
Secret Management (Production)
Secrets can be created manually with the snippets above, or migrated to a secret management
solution. The kubectl create blocks are the rolling source — replace them with the target
tool's equivalent when ready:
| Approach | Replaces kubectl create with |
|---|---|
| Manual rotation | Re-run the same snippets with new values |
| SealedSecrets | kubeseal encrypted manifest |
| External Secrets Operator | ExternalSecret CR pointing to the vault |
| Vault / other | Vault agent / CSI driver injection |
Structure of docs/secrets.md stays identical regardless of the chosen approach.