feat: sync runtime secrets from doppler
This commit is contained in:
@@ -54,9 +54,14 @@ Add these secrets in your Gitea repository settings:
|
||||
|
||||
### Application Secrets
|
||||
|
||||
#### `DOPPLER_HETZNERTERRA_SERVICE_TOKEN`
|
||||
- Doppler service token for the `hetznerterra` project runtime secrets
|
||||
- Used by External Secrets Operator bootstrap
|
||||
- Recommended scope: `hetznerterra` project, `prod` config only
|
||||
|
||||
#### `GRAFANA_ADMIN_PASSWORD`
|
||||
- Admin password for Grafana
|
||||
- Generate a strong password: `openssl rand -base64 32`
|
||||
- Transitional fallback only while migrating observability secrets to Doppler
|
||||
- In steady state, store this in Doppler as `GRAFANA_ADMIN_PASSWORD`
|
||||
|
||||
## Setting Up Secrets
|
||||
|
||||
@@ -82,6 +87,7 @@ Check the workflow logs to verify all secrets are being used correctly.
|
||||
|
||||
- Never commit secrets to the repository
|
||||
- Use strong, unique passwords for Grafana and other services
|
||||
- Prefer Doppler for runtime app/platform secrets after cluster bootstrap
|
||||
- Rotate Tailscale auth keys periodically
|
||||
- Review OAuth client permissions regularly
|
||||
- The workflow automatically opens SSH/API access only for the runner's IP during deployment
|
||||
|
||||
Reference in New Issue
Block a user