Use Private Repositories

Deploy static sites from private Git repositories using deploy tokens.

Create Deploy Token

Forgejo/Gitea

1. Go to Repository → Settings → Deploy Tokens

2. Create a new token with read-only access

3. Copy the token value

GitLab

1. Go to Repository → Settings → Repository → Deploy tokens

2. Create a token with read_repository scope

3. Copy the token value

GitHub

1. Go to Settings → Developer settings → Personal access tokens

2. Create a fine-grained token with repository read access

3. Copy the token value

Create Secret

Create a Secret in the same namespace as your StaticSite:

apiVersion: v1
kind: Secret
metadata:
  name: my-repo-token
  namespace: my-namespace
type: Opaque
stringData:
  password: "glpat-xxxxxxxxxxxx"  # Your token

Apply the secret:

kubectl apply -f secret.yaml

Reference Secret in StaticSite

apiVersion: pages.kup6s.com/v1alpha1
kind: StaticSite
metadata:
  name: internal-docs
  namespace: my-namespace
spec:
  repo: https://forgejo.example.com/org/private-repo.git
  domain: docs.internal.example.com
  secretRef:
    name: my-repo-token
    key: password           # Optional, defaults to "password"

The syncer will use the token for git clone/pull operations.

Security Notes

• The Secret must be in the same namespace as the StaticSite

• Use deploy tokens with minimal permissions (read-only)

• Rotate tokens periodically

• Consider using ExternalSecrets for token management