bakery-ia/infrastructure/cicd/tekton/secrets/secrets.yaml

# CI/CD Secrets for Tekton Pipelines
#
# WARNING: This file contains EXAMPLE values only!
# DO NOT use these values in production.
#
# To create actual secrets, use ONE of these methods:
#
# Method 1 (Recommended): Use the generate-secrets.sh script
#   ./generate-secrets.sh --gitea-user <username> --gitea-password <password>
#
# Method 2: Create secrets manually with kubectl
#   kubectl create secret generic gitea-webhook-secret \
#     --namespace tekton-pipelines \
#     --from-literal=secretToken="$(openssl rand -hex 32)"
#
# Method 3: Use Sealed Secrets for GitOps
#   kubeseal < secrets-template.yaml > sealed-secrets.yaml
#
# Method 4: Use External Secrets Operator
#   Configure ESO to pull from your secret store (Vault, AWS SM, etc.)

---
# Example Secret for Gitea webhook validation
# Used by EventListener to validate incoming webhooks
apiVersion: v1
kind: Secret
metadata:
  name: gitea-webhook-secret
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/name: bakery-ia-cicd
    app.kubernetes.io/component: triggers
  annotations:
    note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"
type: Opaque
stringData:
  # Generate with: openssl rand -hex 32
  secretToken: "example-webhook-token-do-not-use-in-production"

---
# Example Secret for Gitea container registry credentials
# Used by Kaniko to push images to Gitea registry
apiVersion: v1
kind: Secret
metadata:
  name: gitea-registry-credentials
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/name: bakery-ia-cicd
    app.kubernetes.io/component: build
  annotations:
    note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"
type: kubernetes.io/dockerconfigjson
stringData:
  .dockerconfigjson: |
    {
      "auths": {
        "gitea.bakery-ia.local:5000": {
          "username": "example-user",
          "password": "example-password"
        }
      }
    }

---
# Example Secret for Git credentials (used by pipeline to push GitOps updates)
apiVersion: v1
kind: Secret
metadata:
  name: gitea-git-credentials
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/name: bakery-ia-cicd
    app.kubernetes.io/component: gitops
  annotations:
    note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"
type: Opaque
stringData:
  username: "example-user"
  password: "example-password"

---
# Example Secret for Flux GitRepository access
# Used by Flux to pull from Gitea repository
apiVersion: v1
kind: Secret
metadata:
  name: gitea-credentials
  namespace: flux-system
  labels:
    app.kubernetes.io/name: bakery-ia-cicd
    app.kubernetes.io/component: flux
  annotations:
    note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"
type: Opaque
stringData:
  username: "example-user"
  password: "example-password"
Add new infra architecture 2026-01-19 11:55:17 +01:00			`# CI/CD Secrets for Tekton Pipelines`
			`#`
			`# WARNING: This file contains EXAMPLE values only!`
			`# DO NOT use these values in production.`
			`#`
			`# To create actual secrets, use ONE of these methods:`
			`#`
			`# Method 1 (Recommended): Use the generate-secrets.sh script`
			`# ./generate-secrets.sh --gitea-user <username> --gitea-password <password>`
			`#`
			`# Method 2: Create secrets manually with kubectl`
			`# kubectl create secret generic gitea-webhook-secret \`
			`# --namespace tekton-pipelines \`
			`# --from-literal=secretToken="$(openssl rand -hex 32)"`
			`#`
			`# Method 3: Use Sealed Secrets for GitOps`
			`# kubeseal < secrets-template.yaml > sealed-secrets.yaml`
			`#`
			`# Method 4: Use External Secrets Operator`
			`# Configure ESO to pull from your secret store (Vault, AWS SM, etc.)`

			`---`
			`# Example Secret for Gitea webhook validation`
			`# Used by EventListener to validate incoming webhooks`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: gitea-webhook-secret`
			`namespace: tekton-pipelines`
			`labels:`
			`app.kubernetes.io/name: bakery-ia-cicd`
			`app.kubernetes.io/component: triggers`
			`annotations:`
			`note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"`
			`type: Opaque`
			`stringData:`
			`# Generate with: openssl rand -hex 32`
			`secretToken: "example-webhook-token-do-not-use-in-production"`

			`---`
			`# Example Secret for Gitea container registry credentials`
			`# Used by Kaniko to push images to Gitea registry`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: gitea-registry-credentials`
			`namespace: tekton-pipelines`
			`labels:`
			`app.kubernetes.io/name: bakery-ia-cicd`
			`app.kubernetes.io/component: build`
			`annotations:`
			`note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"`
			`type: kubernetes.io/dockerconfigjson`
			`stringData:`
			`.dockerconfigjson: \|`
			`{`
			`"auths": {`
			`"gitea.bakery-ia.local:5000": {`
			`"username": "example-user",`
			`"password": "example-password"`
			`}`
			`}`
			`}`

			`---`
			`# Example Secret for Git credentials (used by pipeline to push GitOps updates)`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: gitea-git-credentials`
			`namespace: tekton-pipelines`
			`labels:`
			`app.kubernetes.io/name: bakery-ia-cicd`
			`app.kubernetes.io/component: gitops`
			`annotations:`
			`note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"`
			`type: Opaque`
			`stringData:`
			`username: "example-user"`
			`password: "example-password"`

			`---`
			`# Example Secret for Flux GitRepository access`
			`# Used by Flux to pull from Gitea repository`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: gitea-credentials`
			`namespace: flux-system`
			`labels:`
			`app.kubernetes.io/name: bakery-ia-cicd`
			`app.kubernetes.io/component: flux`
			`annotations:`
			`note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"`
			`type: Opaque`
			`stringData:`
			`username: "example-user"`
			`password: "example-password"`