niko/gitea-ci-library
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
26a8b9efa8edcae414e11473e74fd128c1cbc5f3
gitea-ci-library/git-pages/docs/secrets.md
T
moilanik 26a8b9efa8 git-pages helm chart
2026-06-10 05:18:58 +03:00

97 lines
3.2 KiB
Markdown
Raw Blame History

# Secrets - Prerequisites
`git-pages` requires the following Kubernetes Secrets to exist before the cluster
consumers can use them. These secrets are not managed by Helm — create them manually or
via external secret management (SealedSecrets, External Secrets Operator, Vault).
TLS (`git-pages-tls`) is issued by cert-manager — not a manual prerequisite.
---
## Secret Inventory
| Secret | Keys | Consumers | Required |
|--------|------|-----------|----------|
| `git-pages-publish-auth` | `users` | Traefik Middleware `git-pages-publish-auth` | Always |
| `git-pages-retention-gitea` | `token` | CronJob `git-pages-retention` | Always |
---
## Tokens
### Publish token
Ei Gitea PAT. Satunnainen merkkijono (`GIT_PAGES_PUBLISH_TOKEN`), joka menee kahteen paikkaan:
| Paikka | Muoto |
|--------|-------|
| Kubernetes `git-pages-publish-auth` | htpasswd: `publish:<hash>` |
| Gitea Actions secret `GIT_PAGES_PUBLISH_TOKEN` | sama plaintext |
CI käyttää sitä Traefik BasicAuthiin. Ei git-kirjoitusoikeutta.
**Vienti Giteaan:** Organization or Repository → Settings → Actions → Secrets →
`GIT_PAGES_PUBLISH_TOKEN` = publish-tokenin plaintext (org secret, jos usea repo julkaisee).
### Retention token
Gitea PAT CronJobille. CronJob listaa branchit repokohtaisesti
(`GET /api/v1/repos/{owner}/{repo}/branches`) ja poistaa raportit, joiden `.meta.branch`
ei ole enää Giteassa.
Tarvitaan vain **`read:repository`**. Ei `write:repository`. Tokenin omistajan täytyy
nähdä kaikki repot, joista raportteja on levyllä.
**Ei viedä Giteaan** — vain Kubernetes Secret `git-pages-retention-gitea`.
**PAT Giteassa (read only):**
1. Kirjaudu Gitea-käyttäjällä, jolla on luku kaikkiin raporttirepoihin
2. **Settings****Applications****Generate New Token**
3. Token name: esim. `git-pages-retention`
4. Scopes: valitse vain **`read:repository`** — älä valitse `write:repository` eikä muita
5. **Generate Token** → kopioi token heti (näytetään vain kerran)
6. Aseta shelliin: `export GITEA_RETENTION_TOKEN='gitea_pat_…'`
---
## Create Secrets
```bash
NS=git-pages
# Publish
GIT_PAGES_PUBLISH_TOKEN="$(openssl rand -base64 24)"
kubectl create secret generic git-pages-publish-auth \
--from-literal=users="$(docker run --rm httpd:2-alpine htpasswd -nb publish "$GIT_PAGES_PUBLISH_TOKEN")" \
-n $NS
echo "Gitea Actions → GIT_PAGES_PUBLISH_TOKEN:"
echo "$GIT_PAGES_PUBLISH_TOKEN"
# Retention (PAT luotu yllä Giteassa)
kubectl create secret generic git-pages-retention-gitea \
--from-literal=token="$GITEA_RETENTION_TOKEN" \
-n $NS
kubectl get secrets -n $NS
```
---
## Secret Management (Production)
Secrets can be created manually with the snippets above, or migrated to a secret management
solution. The `kubectl create` blocks are the rolling source — replace them with the target
tool's equivalent when ready:
| Approach | Replaces `kubectl create` with |
|----------|-------------------------------|
| Manual rotation | Re-run the same snippets with new values |
| SealedSecrets | `kubeseal` encrypted manifest |
| External Secrets Operator | `ExternalSecret` CR pointing to the vault |
| Vault / other | Vault agent / CSI driver injection |
Structure of `docs/secrets.md` stays identical regardless of the chosen approach.
Reference in New Issue View Git Blame Copy Permalink