# Required Kubernetes secrets

Base manifests and the Hetzner single-node overlay both expect secrets to be supplied out-of-band. The Hetzner overlay generates `unrip/unrip-secrets`, `forgejo/forgejo-secrets`, and `registry/registry-secrets` from local files.

## Required secrets
- `unrip/unrip-secrets`
  - `NEAR_INTENTS_API_KEY`
- `forgejo/forgejo-secrets`
  - `root_url`
  - `domain`
  - `runner_registration_token`
- `registry/registry-secrets`
  - `htpasswd`

## Overlay-driven generation
The `deploy/k8s/overlays/hetzner-single-node` overlay can generate these from local files via `secretGenerator`.

Example workflow:

```bash
cp deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env.example deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env.example deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd.example deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
```

For future projects, follow the same convention with project-specific secret names in project-specific namespaces.

Do not commit populated secret files.