You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
app-config/ # mounts a `backstage-app-config` ConfigMap as --config
12
12
networking/ # HTTPRoute onto the shared internal-auth-gateway
13
-
external-secrets/ # GitHub App + backend secret from gcp-secret-store
14
13
overlays/
15
14
e2e/ # base + database-cnpg + app-config, image backstage:e2e
16
15
```
@@ -31,10 +30,14 @@ Each component factors out one concern so any overlay can opt in via
31
30
|`database-cnpg`| A `postgresql.cnpg.io``Cluster` (`backstage-postgres`) and a Deployment patch sourcing `POSTGRES_*` from the generated `backstage-postgres-app` secret. Used by the kind e2e environment. |
32
31
|`app-config`| Deployment patch that layers `app-config.yaml` with a `backstage-app-config` ConfigMap mounted at `/etc/backstage`. The overlay supplies the ConfigMap contents. |
33
32
|`networking`| An `HTTPRoute` attaching to the shared `internal-auth-gateway` (OIDC is enforced at the gateway). |
34
-
|`external-secrets`| An `ExternalSecret` projecting the GitHub App credentials and backend secret from the `gcp-secret-store` ClusterSecretStore into the pod. |
35
33
36
34
## overlays
37
35
38
36
`e2e` composes `base` with `database-cnpg` and `app-config` and is what the
39
37
`E2E` workflow deploys into a kind cluster. Production overlays are composed
40
38
on the deploy side (infra repo) from `base` plus the relevant components.
39
+
40
+
Secret injection (the GitHub App credentials, backend secret, etc.) is
41
+
environment-specific — the secret store, GCP project, and secret names differ
42
+
per stack — so it is defined in the infra overlay as an `ExternalSecret` plus
43
+
an `envFrom` Deployment patch, not shipped as a component here.
0 commit comments