bakery-ia/infrastructure/cicd/tekton-helm/templates/secrets.yaml

# Secret for Gitea webhook validation
# Used by EventListener to validate incoming webhooks
apiVersion: v1
kind: Secret
metadata:
  name: gitea-webhook-secret
  namespace: {{ .Values.namespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: triggers
  annotations:
    note: "Webhook secret for validating incoming webhooks"
type: Opaque
stringData:
  secretToken: {{ .Values.secrets.webhook.token | quote }}
---
# Secret for Gitea container registry credentials
# Used by Kaniko to push images to Gitea registry
apiVersion: v1
kind: Secret
metadata:
  name: gitea-registry-credentials
  namespace: {{ .Values.namespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: build
  annotations:
    note: "Registry credentials for pushing images"
type: kubernetes.io/dockerconfigjson
stringData:
  {{- if and .Values.secrets.registry.registryUrl .Values.secrets.registry.username .Values.secrets.registry.password }}
  .dockerconfigjson: |
    {
      "auths": {
        {{ .Values.secrets.registry.registryUrl | quote }}: {
          "username": {{ .Values.secrets.registry.username | quote }},
          "password": {{ .Values.secrets.registry.password | quote }}
        }
      }
    }
  {{- else }}
  .dockerconfigjson: '{"auths":{}}'
  {{- end }}
---
# Secret for Git credentials (used by pipeline to push GitOps updates)
apiVersion: v1
kind: Secret
metadata:
  name: gitea-git-credentials
  namespace: {{ .Values.namespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: gitops
  annotations:
    note: "Git credentials for GitOps updates"
type: Opaque
stringData:
  username: {{ .Values.secrets.git.username | quote }}
  password: {{ .Values.secrets.git.password | quote }}
---
# Secret for Flux GitRepository access
# Used by Flux to pull from Gitea repository
apiVersion: v1
kind: Secret
metadata:
  name: gitea-credentials
  namespace: {{ .Values.pipeline.deployment.fluxNamespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: flux
  annotations:
    note: "Credentials for Flux GitRepository access"
type: Opaque
stringData:
  username: {{ .Values.secrets.git.username | quote }}
  password: {{ .Values.secrets.git.password | quote }}