# CI/CD Secrets Template for Tekton Pipelines # # DO NOT commit this file with actual credentials! # Use the generate-secrets.sh script to create secrets safely. # # For production, use one of these approaches: # 1. Sealed Secrets: kubeseal < secrets.yaml > sealed-secrets.yaml # 2. External Secrets Operator: Configure with your secret store # 3. Manual creation: kubectl create secret ... (see generate-secrets.sh) --- # Secret for Gitea webhook validation # Used by EventListener to validate incoming webhooks apiVersion: v1 kind: Secret metadata: name: gitea-webhook-secret namespace: tekton-pipelines labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: triggers type: Opaque stringData: # Generate with: openssl rand -hex 32 secretToken: "${WEBHOOK_SECRET_TOKEN}" --- # Secret for Gitea container registry credentials # Used by Kaniko to push images to Gitea registry apiVersion: v1 kind: Secret metadata: name: gitea-registry-credentials namespace: tekton-pipelines labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: build type: kubernetes.io/dockerconfigjson stringData: .dockerconfigjson: | { "auths": { "${REGISTRY_URL}": { "username": "${GITEA_USERNAME}", "password": "${GITEA_PASSWORD}" } } } --- # Secret for Git credentials (used by pipeline to push GitOps updates) apiVersion: v1 kind: Secret metadata: name: gitea-git-credentials namespace: tekton-pipelines labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: gitops type: Opaque stringData: username: "${GITEA_USERNAME}" password: "${GITEA_PASSWORD}" --- # Secret for Flux GitRepository access # Used by Flux to pull from Gitea repository apiVersion: v1 kind: Secret metadata: name: gitea-credentials namespace: flux-system labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: flux type: Opaque stringData: username: "${GITEA_USERNAME}" password: "${GITEA_PASSWORD}"