bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
66dfd50fbc22de02f830bd721c0b6767cf82b2d5
bakery-ia/infrastructure/cicd/tekton-helm/GITEA_SECRET_INTEGRATION.md
Urtzi Alfaro 3b81b5f77e Add new infra architecture 10
2026-01-20 10:39:40 +01:00

5.0 KiB
Raw Blame History

Gitea Admin Secret Integration for Tekton

This document explains how Tekton CI/CD integrates with the existing Gitea admin secret to ensure credential consistency across the system.

Architecture Overview

graph TD
    A[Gitea Admin Secret] --> B[Tekton Registry Credentials]
    A --> C[Tekton Git Credentials]
    A --> D[Flux Git Credentials]
    B --> E[Kaniko Build Task]
    C --> F[GitOps Update Task]
    D --> G[Flux GitRepository]

How It Works

The system uses Helm's lookup function to reference the existing gitea-admin-secret from the Gitea namespace, ensuring that:

  1. Single Source of Truth: All CI/CD components use the same credentials as Gitea
  2. Automatic Synchronization: When Gitea admin password changes, all CI/CD components automatically use the new credentials
  3. Reduced Maintenance: No need to manually update credentials in multiple places

Secret Reference Flow

Gitea Namespace: gitea-admin-secret
    └── username: bakery-admin
    └── password: [secure-password]
    
Tekton Namespace: 
├── gitea-registry-credentials (dockerconfigjson)
│   └── references gitea-admin-secret.password
│   
├── gitea-git-credentials (opaque)
│   └── references gitea-admin-secret.password
│   
└── gitea-credentials (opaque) [flux-system namespace]
    └── references gitea-admin-secret.password

Deployment Requirements

Prerequisites

  1. Gitea must be installed first: The gitea-admin-secret must exist before deploying Tekton
  2. Same username: All components use bakery-admin as the username
  3. Namespace access: Tekton service account needs read access to Gitea namespace secrets

Installation Steps

  1. Install Gitea with admin secret:

    # Run the setup script to create gitea-admin-secret
./infrastructure/cicd/gitea/setup-admin-secret.sh your-secure-password

# Install Gitea Helm chart
helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml

  2. Install Tekton with secret references:

    # Install Tekton - it will automatically reference the Gitea admin secret
helm install tekton-cicd infrastructure/cicd/tekton-helm \
  --namespace tekton-pipelines \
  --set secrets.webhook.token="your-webhook-token"

Troubleshooting

Common Issues

  1. Secret not found error:

    • Ensure Gitea is installed before Tekton
    • Verify the gitea-admin-secret exists in the gitea namespace
    • Check that Tekton service account has RBAC permissions to read Gitea secrets

  2. Authentication failures:

    • Verify the Gitea admin password is correct
    • Ensure the username is bakery-admin (matching the Gitea admin)
    • Check that the password hasn't been manually changed in Gitea UI

Debugging Commands

# Check if gitea-admin-secret exists
kubectl get secret gitea-admin-secret -n gitea

# Verify Tekton secrets were created correctly
kubectl get secret gitea-registry-credentials -n tekton-pipelines -o yaml
kubectl get secret gitea-git-credentials -n tekton-pipelines -o yaml
kubectl get secret gitea-credentials -n flux-system -o yaml

# Check RBAC permissions
kubectl get role,rolebinding,clusterrole,clusterrolebinding -n tekton-pipelines

Security Considerations

Benefits

  1. Reduced attack surface: Fewer secrets to manage and rotate
  2. Automatic rotation: Changing Gitea admin password automatically updates all CI/CD components
  3. Consistent access control: Single point for credential management

Best Practices

  1. Use strong passwords: Generate secure random passwords for Gitea admin
  2. Rotate regularly: Change the Gitea admin password periodically
  3. Limit access: Restrict who can read the gitea-admin-secret
  4. Audit logs: Monitor access to the admin secret

Manual Override

If you need to use different credentials for specific components, you can override the values:

helm install tekton-cicd infrastructure/cicd/tekton-helm \
  --namespace tekton-pipelines \
  --set secrets.webhook.token="your-webhook-token" \
  --set secrets.registry.password="custom-registry-password" \
  --set secrets.git.password="custom-git-password"

However, this is not recommended as it breaks the single source of truth principle.

Helm Template Details

The integration uses Helm's lookup function with b64dec to decode the base64-encoded password:

password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}

This means:

  1. Look up the gitea-admin-secret in the gitea namespace
  2. Get the password field from the secret's data section
  3. Base64 decode it (Kubernetes stores secret data as base64)
  4. Use it as the password value
  5. If .Values.secrets.git.password is provided, use that instead (for manual override)

Conclusion

This integration provides a robust, secure way to manage credentials across the CI/CD pipeline while maintaining consistency with Gitea's admin credentials.