oleks/cms-plugins
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bdc43bb1d63f291d38b66a3b698a5503a50e82e0
cms-plugins/deploy/fleet-overlay/cms-plugins-production/secrets.yaml
T
Oleks bdc43bb1d6
ci/woodpecker/push/container Pipeline was successful
Details
fix(deploy): align fleet-overlay blueprint with the live kotkan deploy 
The deploy/fleet-overlay templates had drifted from what actually runs in
anton-helm-workloads (verified live + against the emdash-kotkanagrilli
reference). Canonical design co-locates everything in the `kotkan` namespace:

- source.yaml: GitRepository flux-system -> kotkan, so the HelmRelease
  chart sourceRef resolves same-namespace (no cross-namespace ref).
- secrets.yaml: deploy-key Secret -> kotkan, defined once in the staging
  overlay; dropped the duplicate definition from the production overlay
  (production references the shared key by name).
- image-automation.yaml: IUA write-back sourceRef
  anton-workloads-image-automation/flux-system -> anton-helm-workloads/kotkan
  (the existing read source already has push access).
- README.md / DEPLOYMENT.md: namespace + ownership docs corrected.
2026-06-02 03:24:52 +03:00

29 lines
1.1 KiB
YAML
Raw Blame History

# Secret for the production environment:
# cms-plugins-production-secrets — env vars consumed by the pod via the
# chart's `existingSecret`. EMDASH_ENCRYPTION_KEY
# is required; everything else is optional.
#
# NOTE: the Flux SSH deploy key (cms-plugins-deploy-key) is NOT defined here.
# It is a single shared key defined once in the staging overlay's secrets.yaml
# (namespace `kotkan`); this env's source.yaml references it by name. Defining
# it again here would create a duplicate Secret (same name + namespace) with
# last-write-wins ambiguity. Mirrors the emdash-kotkanagrilli reference.
#
# This is a TEMPLATE — encrypt it with sops before committing to the
# anton-helm-workloads repo:
#
# sops --encrypt --age <recipient-key> secrets.yaml > secrets.enc.yaml
# mv secrets.enc.yaml secrets.yaml
#
# Generation:
# openssl rand -hex 32 → EMDASH_ENCRYPTION_KEY (one per env, do not reuse).
---
apiVersion: v1
kind: Secret
metadata:
name: cms-plugins-production-secrets
namespace: kotkan
type: Opaque
stringData:
EMDASH_ENCRYPTION_KEY: REPLACE_WITH_RANDOM_HEX_32
Reference in New Issue View Git Blame Copy Permalink