hearth/kubernetes/forgejo/secrets.yaml.template

# Forgejo Secrets Template
# RFC 0040: Self-Hosted Core Services
#
# NOTE: This is a template. In production, secrets should be created via:
# 1. External Secrets Operator
# 2. Sealed Secrets
# 3. Manual kubectl create secret
#
# DO NOT commit actual secret values to git!
---
# Database credentials for CockroachDB connection
apiVersion: v1
kind: Secret
metadata:
  name: forgejo-db
  namespace: forgejo
  labels:
    app.kubernetes.io/name: forgejo
    app.kubernetes.io/part-of: core-services
type: Opaque
stringData:
  username: "forgejo"
  password: "REPLACE_WITH_ACTUAL_PASSWORD"
---
# Application secrets
apiVersion: v1
kind: Secret
metadata:
  name: forgejo-secrets
  namespace: forgejo
  labels:
    app.kubernetes.io/name: forgejo
    app.kubernetes.io/part-of: core-services
type: Opaque
stringData:
  # Generate with: openssl rand -hex 32
  secret-key: "REPLACE_WITH_RANDOM_64_CHAR_HEX"
  # Generate with: forgejo generate secret INTERNAL_TOKEN
  internal-token: "REPLACE_WITH_INTERNAL_TOKEN"
  # Token for metrics endpoint access
  metrics-token: "REPLACE_WITH_METRICS_TOKEN"
---
# OAuth2 secrets for Keycloak SSO
apiVersion: v1
kind: Secret
metadata:
  name: forgejo-oauth
  namespace: forgejo
  labels:
    app.kubernetes.io/name: forgejo
    app.kubernetes.io/part-of: core-services
type: Opaque
stringData:
  # Generate with: openssl rand -hex 32
  jwt-secret: "REPLACE_WITH_RANDOM_64_CHAR_HEX"
  # Keycloak client secret (from Keycloak admin console)
  keycloak-client-secret: "REPLACE_WITH_KEYCLOAK_CLIENT_SECRET"