From b087dac0f13678bc3e968fe9abb487c3f9d82cd8 Mon Sep 17 00:00:00 2001
From: Daniel Sy <Daniel.Sy@telekom.de>
Date: Mon, 8 Jun 2026 14:01:59 +0200
Subject: [PATCH] =?UTF-8?q?fix(core):=20=F0=9F=90=9B=20remove=20template?=
 =?UTF-8?q?=20vars=20from=20secrets-backup=20=E2=80=94=20use=20K8s=20secre?=
 =?UTF-8?q?ts=20directly?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The deploy workflow does not have BACKUP_ENCRYPTION_KEY/BACKUP_BUCKET/OBS_ENDPOINT
env vars. Redesigned to reference existing forgejo-cloud-credentials K8s secret
and hardcode OBS endpoint, matching the pattern of forgejo-s3-backup-cronjob.

Ref: IPCEICIS-9317
---
 .../manifests/secrets-backup-cronjob.yaml         | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/template/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml b/template/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml
index aa3b1bd..bd1f913 100644
--- a/template/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml
+++ b/template/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml
@@ -36,7 +36,9 @@ metadata:
   namespace: gitea
 type: Opaque
 stringData:
-  encryption-passphrase: "{{{ .Env.BACKUP_ENCRYPTION_KEY }}}"
+  # IMPORTANT: Replace this placeholder with a strong passphrase per environment.
+  # This secret should be managed via external-secrets or manually set after initial deploy.
+  encryption-passphrase: "CHANGE-ME-SET-PER-ENVIRONMENT"
 ---
 apiVersion: batch/v1
 kind: CronJob
@@ -77,10 +79,13 @@ spec:
                     secretKeyRef:
                       name: secrets-backup-config
                       key: encryption-passphrase
-                - name: BACKUP_BUCKET
-                  value: "{{{ .Env.BACKUP_BUCKET }}}"
+                - name: SOURCE_BUCKET
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-cloud-credentials
+                      key: bucket-name
                 - name: OBS_ENDPOINT
-                  value: "{{{ .Env.OBS_ENDPOINT }}}"
+                  value: "obs.eu-de.otc.t-systems.com"
               command:
                 - /bin/sh
                 - -c
@@ -115,7 +120,7 @@ spec:
 
                   echo "=== Uploading to OBS ==="
                   aws s3 cp "${ENCRYPTED}" \
-                    "s3://${BACKUP_BUCKET}/secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz.enc" \
+                    "s3://${SOURCE_BUCKET}/cluster-secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz.enc" \
                     --endpoint-url "https://${OBS_ENDPOINT}"
 
                   echo "=== Cleanup ==="