Get started in less than 5 minInstall now
Knodex logo
Knodex
Demo
OSSEnterprise

Declarative Repositories

Configure repository credentials declaratively using Kubernetes Secrets

Repository credentials can be configured declaratively by creating Kubernetes Secrets with the appropriate labels. This is the recommended approach for GitOps workflows.

Secret Format

Repository secrets must have the label knodex.io/secret-type: repository.

apiVersion: v1
kind: Secret
metadata:
  name: my-repo
  namespace: knodex # Must match server's namespace
  labels:
    knodex.io/secret-type: repository
type: Opaque
stringData:
  # Required fields
  url: https://github.com/myorg/myrepo.git
  project: my-project
  type: https # https, ssh, or github-app
 
  # Optional fields
  name: My Repository
  defaultBranch: main
  enabled: "true"
 
  # Credentials (based on type)
  bearerToken: ghp_xxxxxxxxxxxx

Authentication Types

HTTPS with Token

apiVersion: v1
kind: Secret
metadata:
  name: repo-https-example
  namespace: knodex
  labels:
    knodex.io/secret-type: repository
type: Opaque
stringData:
  url: https://github.com/myorg/myrepo.git
  project: my-project
  type: https
  bearerToken: ghp_xxxxxxxxxxxx

SSH

apiVersion: v1
kind: Secret
metadata:
  name: repo-ssh-example
  namespace: knodex
  labels:
    knodex.io/secret-type: repository
type: Opaque
stringData:
  url: git@github.com:myorg/myrepo.git
  project: my-project
  type: ssh
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----

GitHub App

apiVersion: v1
kind: Secret
metadata:
  name: repo-ghapp-example
  namespace: knodex
  labels:
    knodex.io/secret-type: repository
type: Opaque
stringData:
  url: https://github.com/myorg/myrepo.git
  project: my-project
  type: github-app
  githubAppId: "123456"
  githubAppInstallationId: "789012"
  githubAppPrivateKey: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

Secret Fields Reference

FieldRequiredDescription
urlYesRepository URL
projectYesProject ID this repository belongs to
typeYesAuthentication type: https, ssh, or github-app
nameNoDisplay name (defaults to repo name from URL)
defaultBranchNoDefault branch (defaults to main)
enabledNoWhether repository is enabled (defaults to true)
bearerTokenFor HTTPSGitHub/GitLab personal access token
sshPrivateKeyFor SSHSSH private key in PEM format
githubAppIdFor GitHub AppGitHub App ID
githubAppInstallationIdFor GitHub AppGitHub App Installation ID
githubAppPrivateKeyFor GitHub AppGitHub App private key in PEM format

Namespace

Secrets must be created in the same namespace as the knodex server. The default namespace is knodex.

RBAC

The knodex service account requires permissions to manage secrets:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: knodex-secret-manager
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create", "get", "list", "update", "delete"]