infra: manage CI secrets and ghcr.io pull credentials via Terraform

Adds github provider + ci.tf which provisions: - KUBECONFIG GitHub Actions secret (from local kubeconfig) - ghcr-credentials k8s pull secret in finance and auth namespaces Run `terraform apply -var github_token=<PAT>` once after cluster setup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-13 14:21:15 +01:00 · 2026-06-13 14:21:15 +01:00 · e018e627e3
commit e018e627e3
parent 94b23fc839
2 changed files with 74 additions and 0 deletions
--- a/infrastructure/terraform/ci.tf
+++ b/infrastructure/terraform/ci.tf
@ -0,0 +1,53 @@
+# CI/CD bootstrap — GitHub Actions secrets and in-cluster ghcr.io pull credentials.
+# Run `terraform apply` once after setting up a new cluster or rotating credentials.
+
+locals {
+  # Namespaces that run app workloads and need to pull from ghcr.io.
+  app_namespaces = ["finance", "auth"]
+
+  # Base64-encoded kubeconfig for the GitHub Actions runner.
+  # We reuse the same kubeconfig that Terraform itself reads, but with the
+  # external server address so GitHub runners can reach the cluster.
+  kubeconfig_b64 = base64encode(file(pathexpand("~/.kube/config")))
+}
+
+# ---------------------------------------------------------------------------
+# GitHub Actions secrets
+# ---------------------------------------------------------------------------
+
+data "github_repository" "homelab" {
+  name = "homelab"
+}
+
+resource "github_actions_secret" "kubeconfig" {
+  repository      = data.github_repository.homelab.name
+  secret_name     = "KUBECONFIG"
+  plaintext_value = local.kubeconfig_b64
+}
+
+# ---------------------------------------------------------------------------
+# ghcr.io pull secret — created in every app namespace
+# ---------------------------------------------------------------------------
+
+resource "kubernetes_secret" "ghcr_credentials" {
+  for_each = toset(local.app_namespaces)
+
+  metadata {
+    name      = "ghcr-credentials"
+    namespace = kubernetes_namespace.domains[each.key].metadata[0].name
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "ghcr.io" = {
+          username = var.github_owner
+          password = var.github_token
+          auth     = base64encode("${var.github_owner}:${var.github_token}")
+        }
+      }
+    })
+  }
+}
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@ -12,7 +12,28 @@ terraform {
      source  = "hashicorp/random"
      version = "~> 3.6"
    }
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
    }
+  }
+}
+
+variable "github_token" {
+  description = "GitHub PAT with repo and write:packages scopes (used for Actions secrets and ghcr.io pull)"
+  type        = string
+  sensitive   = true
+}
+
+variable "github_owner" {
+  description = "GitHub username / org that owns the homelab repo"
+  type        = string
+  default     = "GoncaloRodri"
+}
+
+provider "github" {
+  token = var.github_token
+  owner = var.github_owner
 }

 locals {