philipp/doran
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
doran/deploy/k8s/secrets/README.md
Philipp 63975a9e7a feat: add headlamp web ui for cluster ops
2026-03-29 10:28:09 +02:00

37 lines
2 KiB
Markdown
Raw Blame History

# Required Kubernetes secrets
Base manifests and the Hetzner single-node overlay both expect secrets to be supplied out-of-band. The Hetzner overlay generates `unrip/unrip-secrets`, `forgejo/forgejo-secrets`, `observability/observability-secrets`, and `registry/registry-secrets` from local files.
## Required secrets
- `unrip/unrip-secrets`
- `NEAR_INTENTS_API_KEY`
- `forgejo/forgejo-secrets`
- `root_url`
- `domain`
- `registry/registry-secrets`
- `htpasswd`
- `observability/observability-secrets`
- `grafana_admin_user`
- `grafana_admin_password`
- `grafana_root_url`
## Overlay-driven generation
The `deploy/k8s/overlays/hetzner-single-node` overlay can generate these from local files via `secretGenerator`.
Example workflow:
```bash
cp deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env.example deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env.example deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/observability.env.example deploy/k8s/overlays/hetzner-single-node/secrets/observability.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd.example deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
```
The Forgejo runner no longer expects a pre-seeded `runner_registration_token` secret; `scripts/hetzner/bootstrap.sh` generates a one-time token in-cluster, registers the runner, stores the resulting `/data/.runner` config on the `forgejo-runner-data` PVC, and then restarts the deployment.
Headlamp login is different: its Kubernetes service-account token is generated in-cluster from `deploy/k8s/platform/base/headlamp.yaml` and bootstrap can optionally store that token in `pass` via `HEADLAMP_ADMIN_TOKEN_PASS`. It is not sourced from a checked-in env file.
For future projects, follow the same convention with project-specific secret names in project-specific namespaces.
Do not commit populated secret files.
Reference in a new issue View git blame Copy permalink