docs: add section on Gitea secrets as source of truth for production
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 6m4s
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 6m4s
This commit is contained in:
parent
f3bece7009
commit
576ce89698
48
README.md
48
README.md
@ -48,6 +48,8 @@ A full-stack application boilerplate with a React frontend and Node.js backend
|
||||
- [🆕 Recent Improvements \& Troubleshooting](#-recent-improvements--troubleshooting)
|
||||
- [🚀 Production Deployment Pipeline (CI/CD)](#-production-deployment-pipeline-cicd)
|
||||
- [CI/CD Kubernetes Deployment Setup](#cicd-kubernetes-deployment-setup)
|
||||
- [Using Private Docker Registry with Kubernetes](#using-private-docker-registry-with-kubernetes)
|
||||
- [Production Secrets Management (Gitea as Source of Truth)](#production-secrets-management-gitea-as-source-of-truth)
|
||||
|
||||
---
|
||||
|
||||
@ -559,3 +561,49 @@ To enable automated deployment to your Kubernetes cluster from CI/CD (Gitea Acti
|
||||
6. **Your pipeline will now be able to deploy to your Kubernetes cluster.**
|
||||
|
||||
---
|
||||
|
||||
## Using Private Docker Registry with Kubernetes
|
||||
|
||||
If you use a private Docker registry (like registry.liquidrinu.com), you must create a Kubernetes secret and reference it in your deployments:
|
||||
|
||||
1. **Create the registry secret:**
|
||||
```bash
|
||||
kubectl create secret docker-registry regcred \
|
||||
--docker-server=registry.liquidrinu.com \
|
||||
--docker-username=YOUR_REGISTRY_USERNAME \
|
||||
--docker-password=YOUR_REGISTRY_PASSWORD \
|
||||
--docker-email=YOUR_EMAIL \
|
||||
-n fusero-prod
|
||||
```
|
||||
|
||||
2. **Reference the secret in your deployment YAMLs:**
|
||||
In your deployment spec, add:
|
||||
```yaml
|
||||
imagePullSecrets:
|
||||
- name: regcred
|
||||
```
|
||||
Example:
|
||||
```yaml
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
imagePullSecrets:
|
||||
- name: regcred
|
||||
containers:
|
||||
- name: backend
|
||||
image: ...
|
||||
```
|
||||
|
||||
This allows Kubernetes to authenticate to your private registry and pull images securely.
|
||||
|
||||
---
|
||||
|
||||
## Production Secrets Management (Gitea as Source of Truth)
|
||||
|
||||
- In production, all sensitive values (like `POSTGRES_PASSWORD`, `DEFAULT_ADMIN_PASSWORD`, etc.) are managed as secrets in your Gitea repository (Settings → Secrets).
|
||||
- The CI/CD pipeline uses these secrets to generate `chart/secrets.prod.yaml` and other files at runtime.
|
||||
- Helm uses these generated files to set environment variables for your Kubernetes resources.
|
||||
- The Postgres password is set from the secret **only when the database is first initialized** (i.e., when the persistent volume is empty). Changing the secret later will not update the password for an existing database unless you reset the DB or delete the volume.
|
||||
- **Summary:** Gitea secrets are the source of truth for production. Always update secrets in Gitea and redeploy to apply changes to new pods.
|
||||
|
||||
---
|
||||
|
||||
Loading…
Reference in New Issue
Block a user