Skip to content

Commit 1f1cb30

Browse files
authored
Merge pull request #16 from datum-cloud/fix/github-app-polling-only
refactor: infra-owned GitHub App secrets, polling-only discovery
2 parents 7e023fa + 0bf83df commit 1f1cb30

5 files changed

Lines changed: 10 additions & 66 deletions

File tree

app-config.yaml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -65,14 +65,16 @@ integrations:
6565
token: ${GITHUB_TOKEN}
6666
# Deployed environments authenticate as a GitHub App instead of a PAT
6767
# (org-wide install, higher rate limits, no personal token to rotate).
68-
# The credentials are already projected into the pod by the
69-
# external-secrets component (backstage-github-app -> GITHUB_APP_*).
68+
# The environment's infra overlay projects the credentials into the pod
69+
# (an ExternalSecret + envFrom -> GITHUB_APP_*); this repo does not own
70+
# that env-specific secret wiring. Catalog discovery polls GitHub
71+
# outbound on a schedule, so no inbound webhook (and no webhookSecret) is
72+
# required — see catalog.providers below.
7073
# Enable per-environment by supplying this block from the deploy overlay:
7174
# apps:
7275
# - appId: ${GITHUB_APP_ID}
7376
# clientId: ${GITHUB_CLIENT_ID}
7477
# clientSecret: ${GITHUB_CLIENT_SECRET}
75-
# webhookSecret: ${GITHUB_WEBHOOK_SECRET}
7678
# privateKey: ${GITHUB_PRIVATE_KEY}
7779

7880
proxy:

config/README.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ config/
1010
database-cnpg/ # CloudNativePG Cluster + POSTGRES_* env wiring
1111
app-config/ # mounts a `backstage-app-config` ConfigMap as --config
1212
networking/ # HTTPRoute onto the shared internal-auth-gateway
13-
external-secrets/ # GitHub App + backend secret from gcp-secret-store
1413
overlays/
1514
e2e/ # base + database-cnpg + app-config, image backstage:e2e
1615
```
@@ -31,10 +30,14 @@ Each component factors out one concern so any overlay can opt in via
3130
| `database-cnpg` | A `postgresql.cnpg.io` `Cluster` (`backstage-postgres`) and a Deployment patch sourcing `POSTGRES_*` from the generated `backstage-postgres-app` secret. Used by the kind e2e environment. |
3231
| `app-config` | Deployment patch that layers `app-config.yaml` with a `backstage-app-config` ConfigMap mounted at `/etc/backstage`. The overlay supplies the ConfigMap contents. |
3332
| `networking` | An `HTTPRoute` attaching to the shared `internal-auth-gateway` (OIDC is enforced at the gateway). |
34-
| `external-secrets` | An `ExternalSecret` projecting the GitHub App credentials and backend secret from the `gcp-secret-store` ClusterSecretStore into the pod. |
3533

3634
## overlays
3735

3836
`e2e` composes `base` with `database-cnpg` and `app-config` and is what the
3937
`E2E` workflow deploys into a kind cluster. Production overlays are composed
4038
on the deploy side (infra repo) from `base` plus the relevant components.
39+
40+
Secret injection (the GitHub App credentials, backend secret, etc.) is
41+
environment-specific — the secret store, GCP project, and secret names differ
42+
per stack — so it is defined in the infra overlay as an `ExternalSecret` plus
43+
an `envFrom` Deployment patch, not shipped as a component here.

config/components/external-secrets/external-secret.yaml

Lines changed: 0 additions & 38 deletions
This file was deleted.

config/components/external-secrets/kustomization.yaml

Lines changed: 0 additions & 11 deletions
This file was deleted.

config/components/external-secrets/patch-deployment.yaml

Lines changed: 0 additions & 12 deletions
This file was deleted.

0 commit comments

Comments
 (0)