docs: add section on Gitea secrets as source of truth for production
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 6m4s
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 6m4s
This commit is contained in:
parent
f3bece7009
commit
576ce89698
48
README.md
48
README.md
@ -48,6 +48,8 @@ A full-stack application boilerplate with a React frontend and Node.js backend
|
|||||||
- [🆕 Recent Improvements \& Troubleshooting](#-recent-improvements--troubleshooting)
|
- [🆕 Recent Improvements \& Troubleshooting](#-recent-improvements--troubleshooting)
|
||||||
- [🚀 Production Deployment Pipeline (CI/CD)](#-production-deployment-pipeline-cicd)
|
- [🚀 Production Deployment Pipeline (CI/CD)](#-production-deployment-pipeline-cicd)
|
||||||
- [CI/CD Kubernetes Deployment Setup](#cicd-kubernetes-deployment-setup)
|
- [CI/CD Kubernetes Deployment Setup](#cicd-kubernetes-deployment-setup)
|
||||||
|
- [Using Private Docker Registry with Kubernetes](#using-private-docker-registry-with-kubernetes)
|
||||||
|
- [Production Secrets Management (Gitea as Source of Truth)](#production-secrets-management-gitea-as-source-of-truth)
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -559,3 +561,49 @@ To enable automated deployment to your Kubernetes cluster from CI/CD (Gitea Acti
|
|||||||
6. **Your pipeline will now be able to deploy to your Kubernetes cluster.**
|
6. **Your pipeline will now be able to deploy to your Kubernetes cluster.**
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
## Using Private Docker Registry with Kubernetes
|
||||||
|
|
||||||
|
If you use a private Docker registry (like registry.liquidrinu.com), you must create a Kubernetes secret and reference it in your deployments:
|
||||||
|
|
||||||
|
1. **Create the registry secret:**
|
||||||
|
```bash
|
||||||
|
kubectl create secret docker-registry regcred \
|
||||||
|
--docker-server=registry.liquidrinu.com \
|
||||||
|
--docker-username=YOUR_REGISTRY_USERNAME \
|
||||||
|
--docker-password=YOUR_REGISTRY_PASSWORD \
|
||||||
|
--docker-email=YOUR_EMAIL \
|
||||||
|
-n fusero-prod
|
||||||
|
```
|
||||||
|
|
||||||
|
2. **Reference the secret in your deployment YAMLs:**
|
||||||
|
In your deployment spec, add:
|
||||||
|
```yaml
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: regcred
|
||||||
|
```
|
||||||
|
Example:
|
||||||
|
```yaml
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
imagePullSecrets:
|
||||||
|
- name: regcred
|
||||||
|
containers:
|
||||||
|
- name: backend
|
||||||
|
image: ...
|
||||||
|
```
|
||||||
|
|
||||||
|
This allows Kubernetes to authenticate to your private registry and pull images securely.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Production Secrets Management (Gitea as Source of Truth)
|
||||||
|
|
||||||
|
- In production, all sensitive values (like `POSTGRES_PASSWORD`, `DEFAULT_ADMIN_PASSWORD`, etc.) are managed as secrets in your Gitea repository (Settings → Secrets).
|
||||||
|
- The CI/CD pipeline uses these secrets to generate `chart/secrets.prod.yaml` and other files at runtime.
|
||||||
|
- Helm uses these generated files to set environment variables for your Kubernetes resources.
|
||||||
|
- The Postgres password is set from the secret **only when the database is first initialized** (i.e., when the persistent volume is empty). Changing the secret later will not update the password for an existing database unless you reset the DB or delete the volume.
|
||||||
|
- **Summary:** Gitea secrets are the source of truth for production. Always update secrets in Gitea and redeploy to apply changes to new pods.
|
||||||
|
|
||||||
|
---
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user