philipp/doran
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
doran/deploy/k8s/secrets/README.md
Philipp 2a32461e39 feat: bootstrap hetzner k3s deployment
2026-03-28 20:53:29 +01:00

1.2 KiB
Raw Blame History

Required Kubernetes secrets

Base manifests and the Hetzner single-node overlay both expect secrets to be supplied out-of-band. The Hetzner overlay generates unrip/unrip-secrets, forgejo/forgejo-secrets, and registry/registry-secrets from local files.

Required secrets

  • unrip/unrip-secrets
    • NEAR_INTENTS_API_KEY
  • forgejo/forgejo-secrets
    • root_url
    • domain
    • runner_registration_token
  • registry/registry-secrets
    • htpasswd

Overlay-driven generation

The deploy/k8s/overlays/hetzner-single-node overlay can generate these from local files via secretGenerator.

Example workflow:

cp deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env.example deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env.example deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd.example deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd
kubectl apply -k deploy/k8s/overlays/hetzner-single-node

For future projects, follow the same convention with project-specific secret names in project-specific namespaces.

Do not commit populated secret files.