openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
8d2ba0495d
openova/platform/gitea/chart/templates/database-secret.yaml
e3mrah 8d2ba0495d
fix(bp-gitea): switch to CNPG-managed postgres, drop bitnamilegacy subchart (Closes #584) (#586) 
Squash merge: fix(bp-gitea) switch to CNPG-managed postgres (Closes #584)
2026-05-02 15:18:49 +04:00

44 lines
2.0 KiB
YAML
Raw Blame History

{{- /*
Placeholder Secret that reflector (bp-reflector) populates from the CNPG-
generated `gitea-pg-app` Secret.
Gitea reads the database password from GITEA__database__PASSWD environment
variable. CNPG produces `gitea-pg-app` with a `password` key. This Secret
acts as the bridge: reflector copies all keys from `gitea-pg-app` into this
Secret including `password`, which the Gitea deployment references via
secretKeyRef.
Why not Helm `lookup`?
Helm `lookup` is evaluated only during `helm install` / `helm upgrade`
template rendering. On a fresh Sovereign, CNPG bootstraps the Cluster AFTER
the bp-gitea HelmRelease applies. The first Helm render finds `gitea-pg-app`
absent and writes an empty password. Reflector is event-driven: as soon as
`gitea-pg-app` is created (or rotated), the watch fires and this Secret is
updated — no operator action required.
Per docs/INVIOLABLE-PRINCIPLES.md #10 (credential hygiene): no plaintext
credentials appear in this committed template. The reflector copies bytes from
a live cluster Secret.
*/}}
apiVersion: v1
kind: Secret
metadata:
name: gitea-database-secret
namespace: {{ .Values.postgres.cluster.namespace | default .Release.Namespace }}
labels:
catalyst.openova.io/blueprint: bp-gitea
catalyst.openova.io/component: gitea
annotations:
# Reflector (bp-reflector) copies all keys from gitea-pg-app into this
# Secret. Gitea reads GITEA__database__PASSWD from the `password` key.
reflector.v1.k8s.emberstack.com/reflects: "{{ .Values.postgres.cluster.namespace | default .Release.Namespace }}/{{ .Values.postgres.cluster.name | default "gitea-pg" }}-app"
# Helm resource-policy keep — do not delete on helm uninstall (the
# Secret is independently managed by reflector after initial creation).
helm.sh/resource-policy: keep
type: Opaque
# Bootstrap empty data — reflector overwrites these within seconds of
# gitea-pg-app being created by CNPG. Empty values here prevent
# CreateContainerConfigError (secret key missing) during initial render.
data:
password: ""
Reference in New Issue View Git Blame Copy Permalink