# Gitea Admin Secret Integration for Tekton

This document explains how Tekton CI/CD integrates with the existing Gitea admin secret to ensure credential consistency across the system.

## Architecture Overview

```mermaid
graph TD
    A[Gitea Admin Secret] --> B[Tekton Registry Credentials]
    A --> C[Tekton Git Credentials]
    A --> D[Flux Git Credentials]
    B --> E[Kaniko Build Task]
    C --> F[GitOps Update Task]
    D --> G[Flux GitRepository]
```

## How It Works

The system uses Helm's `lookup` function to reference the existing `gitea-admin-secret` from the Gitea namespace, ensuring that:

1. **Single Source of Truth**: All CI/CD components use the same credentials as Gitea
2. **Automatic Synchronization**: When Gitea admin password changes, all CI/CD components automatically use the new credentials
3. **Reduced Maintenance**: No need to manually update credentials in multiple places

## Secret Reference Flow

```
Gitea Namespace: gitea-admin-secret
    └── username: bakery-admin
    └── password: [secure-password]
    
Tekton Namespace: 
├── gitea-registry-credentials (dockerconfigjson)
│   └── references gitea-admin-secret.password
│   
├── gitea-git-credentials (opaque)
│   └── references gitea-admin-secret.password
│   
└── gitea-credentials (opaque) [flux-system namespace]
    └── references gitea-admin-secret.password
```

## Deployment Requirements

### Prerequisites

1. **Gitea must be installed first**: The `gitea-admin-secret` must exist before deploying Tekton
2. **Same username**: All components use `bakery-admin` as the username
3. **Namespace access**: Tekton service account needs read access to Gitea namespace secrets

### Installation Steps

1. **Install Gitea with admin secret**:
   ```bash
   # Run the setup script to create gitea-admin-secret
   ./infrastructure/cicd/gitea/setup-admin-secret.sh your-secure-password
   
   # Install Gitea Helm chart
   helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml
   ```

2. **Install Tekton with secret references**:
   ```bash
   # Install Tekton - it will automatically reference the Gitea admin secret
   helm install tekton-cicd infrastructure/cicd/tekton-helm \
     --namespace tekton-pipelines \
     --set secrets.webhook.token="your-webhook-token"
   ```

## Troubleshooting

### Common Issues

1. **Secret not found error**:
   - Ensure Gitea is installed before Tekton
   - Verify the `gitea-admin-secret` exists in the `gitea` namespace
   - Check that Tekton service account has RBAC permissions to read Gitea secrets

2. **Authentication failures**:
   - Verify the Gitea admin password is correct
   - Ensure the username is `bakery-admin` (matching the Gitea admin)
   - Check that the password hasn't been manually changed in Gitea UI

### Debugging Commands

```bash
# Check if gitea-admin-secret exists
kubectl get secret gitea-admin-secret -n gitea

# Verify Tekton secrets were created correctly
kubectl get secret gitea-registry-credentials -n tekton-pipelines -o yaml
kubectl get secret gitea-git-credentials -n tekton-pipelines -o yaml
kubectl get secret gitea-credentials -n flux-system -o yaml

# Check RBAC permissions
kubectl get role,rolebinding,clusterrole,clusterrolebinding -n tekton-pipelines
```

## Security Considerations

### Benefits

1. **Reduced attack surface**: Fewer secrets to manage and rotate
2. **Automatic rotation**: Changing Gitea admin password automatically updates all CI/CD components
3. **Consistent access control**: Single point for credential management

### Best Practices

1. **Use strong passwords**: Generate secure random passwords for Gitea admin
2. **Rotate regularly**: Change the Gitea admin password periodically
3. **Limit access**: Restrict who can read the `gitea-admin-secret`
4. **Audit logs**: Monitor access to the admin secret

## Manual Override

If you need to use different credentials for specific components, you can override the values:

```bash
helm install tekton-cicd infrastructure/cicd/tekton-helm \
  --namespace tekton-pipelines \
  --set secrets.webhook.token="your-webhook-token" \
  --set secrets.registry.password="custom-registry-password" \
  --set secrets.git.password="custom-git-password"
```

However, this is **not recommended** as it breaks the single source of truth principle.

## Helm Template Details

The integration uses Helm's `lookup` function with `b64dec` to decode the base64-encoded password:

```yaml
password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
```

This means:
1. Look up the `gitea-admin-secret` in the `gitea` namespace
2. Get the `password` field from the secret's `data` section
3. Base64 decode it (Kubernetes stores secret data as base64)
4. Use it as the password value
5. If `.Values.secrets.git.password` is provided, use that instead (for manual override)

## Conclusion

This integration provides a robust, secure way to manage credentials across the CI/CD pipeline while maintaining consistency with Gitea's admin credentials.