29 lines
1.2 KiB
Markdown
29 lines
1.2 KiB
Markdown
# Required Kubernetes secrets
|
|
|
|
Base manifests and the Hetzner single-node overlay both expect secrets to be supplied out-of-band. The Hetzner overlay generates `unrip/unrip-secrets`, `forgejo/forgejo-secrets`, and `registry/registry-secrets` from local files.
|
|
|
|
## Required secrets
|
|
- `unrip/unrip-secrets`
|
|
- `NEAR_INTENTS_API_KEY`
|
|
- `forgejo/forgejo-secrets`
|
|
- `root_url`
|
|
- `domain`
|
|
- `runner_registration_token`
|
|
- `registry/registry-secrets`
|
|
- `htpasswd`
|
|
|
|
## Overlay-driven generation
|
|
The `deploy/k8s/overlays/hetzner-single-node` overlay can generate these from local files via `secretGenerator`.
|
|
|
|
Example workflow:
|
|
|
|
```bash
|
|
cp deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env.example deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env
|
|
cp deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env.example deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env
|
|
cp deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd.example deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd
|
|
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
|
|
```
|
|
|
|
For future projects, follow the same convention with project-specific secret names in project-specific namespaces.
|
|
|
|
Do not commit populated secret files.
|