mirror of
https://github.com/ryankazokas/turbovault-app.git
synced 2026-04-16 22:12:53 +00:00
203 lines
4.9 KiB
Markdown
203 lines
4.9 KiB
Markdown
# Gitea Secrets Configuration
|
|
|
|
This document explains what secrets you need to configure in Gitea for automatic builds and deployments.
|
|
|
|
## Required Secrets
|
|
|
|
### 1. GITEA_TOKEN
|
|
|
|
**Purpose:** Allows Gitea Actions to push Docker images to Gitea Container Registry
|
|
|
|
**How to create:**
|
|
|
|
1. Go to Gitea → **Settings** → **Applications**
|
|
2. Under **"Generate New Token"**, enter name: `gitea-actions`
|
|
3. Select scopes:
|
|
- ✅ `write:package` (push container images)
|
|
- ✅ `read:package` (pull container images)
|
|
4. Click **"Generate Token"**
|
|
5. Copy the token (starts with `glpat-...` or similar)
|
|
|
|
**How to add to repository:**
|
|
|
|
1. Go to your Gitea repository: `gitea.kazcloud.dev/ryankazokas/turbovault-app`
|
|
2. Click **Settings** → **Secrets**
|
|
3. Click **"Add Secret"**
|
|
4. Name: `GITEA_TOKEN`
|
|
5. Value: Paste the token you copied
|
|
6. Click **"Add Secret"**
|
|
|
|
---
|
|
|
|
### 2. KUBECONFIG
|
|
|
|
**Purpose:** Allows Gitea Actions to deploy to your Kubernetes cluster
|
|
|
|
**How to create:**
|
|
|
|
```bash
|
|
# Export your kubeconfig as base64
|
|
cat ~/.kube/config | base64 -w 0 > kubeconfig-base64.txt
|
|
|
|
# Copy the contents of kubeconfig-base64.txt
|
|
cat kubeconfig-base64.txt
|
|
```
|
|
|
|
**How to add to repository:**
|
|
|
|
1. Go to your Gitea repository: `gitea.kazcloud.dev/ryankazokas/turbovault-app`
|
|
2. Click **Settings** → **Secrets**
|
|
3. Click **"Add Secret"**
|
|
4. Name: `KUBECONFIG`
|
|
5. Value: Paste the base64-encoded kubeconfig
|
|
6. Click **"Add Secret"**
|
|
|
|
**⚠️ Security Note:** This gives Gitea Actions full access to your Kubernetes cluster. Only add this to trusted repositories!
|
|
|
|
---
|
|
|
|
## Optional: Scoped Kubeconfig (More Secure)
|
|
|
|
Instead of using your full kubeconfig, create a limited service account:
|
|
|
|
```bash
|
|
# Create service account for deployments
|
|
kubectl create serviceaccount turbovault-deployer -n turbovault
|
|
|
|
# Create role with deployment permissions
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: turbovault-deployer
|
|
namespace: turbovault
|
|
rules:
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "list", "patch", "update"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments/status"]
|
|
verbs: ["get"]
|
|
EOF
|
|
|
|
# Bind role to service account
|
|
kubectl create rolebinding turbovault-deployer \
|
|
--role=turbovault-deployer \
|
|
--serviceaccount=turbovault:turbovault-deployer \
|
|
-n turbovault
|
|
|
|
# Get service account token
|
|
kubectl create token turbovault-deployer -n turbovault --duration=87600h > token.txt
|
|
|
|
# Create minimal kubeconfig
|
|
cat <<EOF > deployer-kubeconfig.yaml
|
|
apiVersion: v1
|
|
kind: Config
|
|
clusters:
|
|
- cluster:
|
|
server: https://100.101.31.99:6443
|
|
# Add certificate-authority-data from your main kubeconfig if needed
|
|
insecure-skip-tls-verify: true
|
|
name: k3s
|
|
contexts:
|
|
- context:
|
|
cluster: k3s
|
|
namespace: turbovault
|
|
user: turbovault-deployer
|
|
name: k3s
|
|
current-context: k3s
|
|
users:
|
|
- name: turbovault-deployer
|
|
user:
|
|
token: $(cat token.txt)
|
|
EOF
|
|
|
|
# Encode for Gitea
|
|
cat deployer-kubeconfig.yaml | base64 -w 0 > deployer-kubeconfig-base64.txt
|
|
|
|
# Use this in KUBECONFIG secret instead
|
|
cat deployer-kubeconfig-base64.txt
|
|
```
|
|
|
|
This limits Gitea Actions to only deploying TurboVault, not full cluster access.
|
|
|
|
---
|
|
|
|
## Verifying Secrets
|
|
|
|
After adding secrets, you can verify they're set:
|
|
|
|
1. Go to repository → **Settings** → **Secrets**
|
|
2. You should see:
|
|
- `GITEA_TOKEN` ✅
|
|
- `KUBECONFIG` ✅
|
|
|
|
**Note:** You can't view secret values after creation (security feature).
|
|
|
|
---
|
|
|
|
## Testing the Workflow
|
|
|
|
After secrets are configured:
|
|
|
|
```bash
|
|
# Create a test tag
|
|
git tag v0.0.1-test
|
|
git push origin v0.0.1-test
|
|
```
|
|
|
|
Watch the workflow at:
|
|
`gitea.kazcloud.dev/ryankazokas/turbovault-app/actions`
|
|
|
|
The workflow should:
|
|
1. ✅ Build Docker image
|
|
2. ✅ Push to Gitea registry
|
|
3. ✅ Deploy to Kubernetes
|
|
4. ✅ Wait for rollout to complete
|
|
|
|
---
|
|
|
|
## Troubleshooting
|
|
|
|
### "Error: authentication required"
|
|
- Check `GITEA_TOKEN` is set and has `write:package` scope
|
|
|
|
### "Error: Unable to connect to the server"
|
|
- Check `KUBECONFIG` secret is set correctly
|
|
- Verify base64 encoding (no line breaks with `-w 0`)
|
|
- Test kubeconfig works locally: `kubectl --kubeconfig=<file> get pods -n turbovault`
|
|
|
|
### "Error: deployment not found"
|
|
- Make sure initial deployment is done first: `./scripts/deploy-k8s.sh`
|
|
- Workflow only updates existing deployments, doesn't create them
|
|
|
|
---
|
|
|
|
## Security Best Practices
|
|
|
|
✅ **DO:**
|
|
- Use service account with minimal permissions (Role, not ClusterRole)
|
|
- Rotate tokens regularly
|
|
- Only add secrets to repositories you control
|
|
|
|
❌ **DON'T:**
|
|
- Share secrets in code or documentation
|
|
- Use admin kubeconfig if possible
|
|
- Commit secrets to git
|
|
|
|
---
|
|
|
|
## Summary
|
|
|
|
**Two secrets required:**
|
|
|
|
1. **GITEA_TOKEN** - For pushing container images
|
|
2. **KUBECONFIG** - For deploying to Kubernetes
|
|
|
|
Both added at: `gitea.kazcloud.dev/ryankazokas/turbovault-app/settings/secrets`
|
|
|
|
After setup, just push tags to trigger automatic builds and deployments! 🚀
|