2026-03-02 20:29:19 +00:00
|
|
|
# Gitea Secrets Setup
|
|
|
|
|
|
|
|
|
|
This document describes the secrets required for the HetznerTerra deployment workflow.
|
|
|
|
|
|
|
|
|
|
## Required Secrets
|
|
|
|
|
|
|
|
|
|
Add these secrets in your Gitea repository settings:
|
|
|
|
|
**Settings → Secrets → Actions**
|
|
|
|
|
|
|
|
|
|
### Infrastructure Secrets
|
|
|
|
|
|
|
|
|
|
#### `HCLOUD_TOKEN`
|
|
|
|
|
- Hetzner Cloud API token
|
|
|
|
|
- Get from: https://console.hetzner.com/projects/{project-id}/security/api-tokens
|
|
|
|
|
- Permissions: Read & Write
|
|
|
|
|
|
|
|
|
|
#### `S3_ACCESS_KEY` & `S3_SECRET_KEY`
|
|
|
|
|
- Backblaze B2 credentials for Terraform state storage
|
|
|
|
|
- Get from: https://secure.backblaze.com/b2_buckets.htm
|
|
|
|
|
- Create application key with access to your terraform state bucket
|
|
|
|
|
|
|
|
|
|
#### `S3_ENDPOINT`
|
|
|
|
|
- Backblaze B2 S3 endpoint
|
|
|
|
|
- Example: `https://s3.eu-central-003.backblazeb2.com`
|
|
|
|
|
|
|
|
|
|
#### `S3_BUCKET`
|
|
|
|
|
- Backblaze B2 bucket name for Terraform state
|
|
|
|
|
- Example: `k8s-terraform-state`
|
|
|
|
|
|
|
|
|
|
### SSH Secrets
|
|
|
|
|
|
|
|
|
|
#### `SSH_PRIVATE_KEY` & `SSH_PUBLIC_KEY`
|
|
|
|
|
- SSH key pair for cluster access
|
|
|
|
|
- Generate with: `ssh-keygen -t ed25519 -C "k8s@hetzner" -f ~/.ssh/hetzner_k8s`
|
|
|
|
|
- Private key content (include BEGIN/END lines)
|
|
|
|
|
- Public key content (full line starting with ssh-ed25519)
|
|
|
|
|
|
|
|
|
|
### Tailscale Secrets
|
|
|
|
|
|
|
|
|
|
#### `TAILSCALE_AUTH_KEY`
|
|
|
|
|
- Tailscale auth key for node registration
|
|
|
|
|
- Get from: https://login.tailscale.com/admin/settings/keys
|
|
|
|
|
- Type: Reusable, Ephemeral
|
|
|
|
|
- Scope: `devices:core:write`
|
|
|
|
|
|
|
|
|
|
#### `TAILSCALE_TAILNET`
|
|
|
|
|
- Your Tailscale network name
|
|
|
|
|
- Example: `tail7ec33.ts.net` or your custom domain
|
|
|
|
|
|
|
|
|
|
#### `TAILSCALE_OAUTH_CLIENT_ID` & `TAILSCALE_OAUTH_CLIENT_SECRET`
|
|
|
|
|
- OAuth credentials for Tailscale Kubernetes Operator
|
|
|
|
|
- Get from: https://login.tailscale.com/admin/settings/oauth
|
|
|
|
|
- Create OAuth client with scope: `devices:core:write`
|
|
|
|
|
|
|
|
|
|
### Application Secrets
|
|
|
|
|
|
2026-03-09 00:25:41 +00:00
|
|
|
#### `DOPPLER_HETZNERTERRA_SERVICE_TOKEN`
|
|
|
|
|
- Doppler service token for the `hetznerterra` project runtime secrets
|
|
|
|
|
- Used by External Secrets Operator bootstrap
|
|
|
|
|
- Recommended scope: `hetznerterra` project, `prod` config only
|
|
|
|
|
|
2026-03-02 20:29:19 +00:00
|
|
|
#### `GRAFANA_ADMIN_PASSWORD`
|
2026-03-09 00:25:41 +00:00
|
|
|
- Transitional fallback only while migrating observability secrets to Doppler
|
|
|
|
|
- In steady state, store this in Doppler as `GRAFANA_ADMIN_PASSWORD`
|
2026-03-02 20:29:19 +00:00
|
|
|
|
|
|
|
|
## Setting Up Secrets
|
|
|
|
|
|
|
|
|
|
1. Go to your Gitea repository
|
|
|
|
|
2. Navigate to **Settings → Secrets → Actions**
|
|
|
|
|
3. Click **Add Secret**
|
|
|
|
|
4. Enter the secret name (exact match from above)
|
|
|
|
|
5. Paste the secret value
|
|
|
|
|
6. Click **Add Secret**
|
|
|
|
|
7. Repeat for all secrets
|
|
|
|
|
|
|
|
|
|
## Verification
|
|
|
|
|
|
|
|
|
|
After adding all secrets, trigger a workflow run:
|
|
|
|
|
```bash
|
|
|
|
|
git commit --allow-empty -m "ci: trigger workflow with new secrets"
|
|
|
|
|
git push
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Check the workflow logs to verify all secrets are being used correctly.
|
|
|
|
|
|
|
|
|
|
## Security Notes
|
|
|
|
|
|
|
|
|
|
- Never commit secrets to the repository
|
|
|
|
|
- Use strong, unique passwords for Grafana and other services
|
2026-03-09 00:25:41 +00:00
|
|
|
- Prefer Doppler for runtime app/platform secrets after cluster bootstrap
|
2026-03-02 20:29:19 +00:00
|
|
|
- Rotate Tailscale auth keys periodically
|
|
|
|
|
- Review OAuth client permissions regularly
|
|
|
|
|
- The workflow automatically opens SSH/API access only for the runner's IP during deployment
|
