meshcloud · j0g3sc · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/modules/ske/forgejo-connector/backplane/README.md b/modules/ske/forgejo-connector/backplane/README.md
@@ -28,11 +28,11 @@ No resources.
 | <a name="input_client_key"></a> [client\_key](#input\_client\_key) | Base64-encoded private key corresponding to the client certificate, used for authentication with the Kubernetes API server. | `string` | n/a | yes |
 | <a name="input_cluster_ca_certificate"></a> [cluster\_ca\_certificate](#input\_cluster\_ca\_certificate) | Base64-encoded certificate authority (CA) certificate used to verify the Kubernetes API server's identity. | `string` | n/a | yes |
 | <a name="input_cluster_host"></a> [cluster\_host](#input\_cluster\_host) | The endpoint of the Kubernetes cluster. | `string` | n/a | yes |
-| <a name="input_cluster_kubeconfig"></a> [cluster\_kubeconfig](#input\_cluster\_kubeconfig) | Raw kubeconfig content containing the configuration required to access and authenticate to the Kubernetes cluster. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_config_tf"></a> [config\_tf](#output\_config\_tf) | Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block. |
-<!-- END_TF_DOCS -->
+| <a name="output_kubeconfig_cluster_name"></a> [kubeconfig\_cluster\_name](#output\_kubeconfig\_cluster\_name) | Cluster name to use when merging static kubeconfig and generated service-account credentials. |
+<!-- END_TF_DOCS -->
diff --git a/modules/ske/forgejo-connector/backplane/outputs.tf b/modules/ske/forgejo-connector/backplane/outputs.tf
@@ -8,23 +8,10 @@ output "config_tf" {
     client_certificate = base64decode("${var.client_certificate}")
     client_key = base64decode("${var.client_key}")
   }
-
-  locals {
-    stackit_kubeconfig_stub = {
-      apiVersion      = "v1"
-      kind            = "Config"
-      current-context = "stackit_k8s"
-
-      clusters = [
-        {
-          name = "stackit_k8s"
-          cluster = {
-            server = "${var.cluster_host}"
-            certificate-authority-data = "${var.cluster_ca_certificate}"
-          }
-        }
-      ]
-    }
-  }
   EOF
-}
+}
+
+output "kubeconfig_cluster_name" {
+  description = "Cluster name to use when merging static kubeconfig and generated service-account credentials."
+  value       = "stackit_k8s"
+}
diff --git a/modules/ske/forgejo-connector/backplane/variables.tf b/modules/ske/forgejo-connector/backplane/variables.tf
@@ -20,9 +20,3 @@ variable "client_key" {
   type        = string
   sensitive   = true
 }
-
-variable "cluster_kubeconfig" {
-  description = "Raw kubeconfig content containing the configuration required to access and authenticate to the Kubernetes cluster."
-  type        = string
-  sensitive   = true
-}
diff --git a/modules/ske/forgejo-connector/buildingblock/README.md b/modules/ske/forgejo-connector/buildingblock/README.md
@@ -55,27 +55,27 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [forgejo_repository_action_secret.additional](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/resources/repository_action_secret) | resource |
 | [forgejo_repository_action_secret.container_registry](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/resources/repository_action_secret) | resource |
 | [forgejo_repository_action_secret.kubeconfig](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/resources/repository_action_secret) | resource |
+| [forgejo_repository_action_secret.namespace](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/resources/repository_action_secret) | resource |
 | [kubernetes_cluster_role_binding.forgejo_actions_clusterissuer_access](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/cluster_role_binding) | resource |
 | [kubernetes_role_binding.forgejo_actions](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/role_binding) | resource |
 | [kubernetes_secret.forgejo_actions](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/secret) | resource |
 | [kubernetes_secret.image_pull](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/secret) | resource |
 | [kubernetes_service_account.forgejo_actions](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/service_account) | resource |
-| [forgejo_repository.this](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/data-sources/repository) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_additional_environment_variables"></a> [additional\_environment\_variables](#input\_additional\_environment\_variables) | Map of additional environment variable key/value pairs to set as Forgejo repository action secrets. | `map(string)` | `{}` | no |
-| <a name="input_forgejo_repository_name"></a> [forgejo\_repository\_name](#input\_forgejo\_repository\_name) | The name of the Forgejo repository. | `string` | n/a | yes |
-| <a name="input_forgejo_repository_owner"></a> [forgejo\_repository\_owner](#input\_forgejo\_repository\_owner) | The owner of the Forgejo repository. | `string` | n/a | yes |
 | <a name="input_harbor_host"></a> [harbor\_host](#input\_harbor\_host) | The URL of the Harbor registry. | `string` | `"https://registry.onstackit.cloud"` | no |
 | <a name="input_harbor_password"></a> [harbor\_password](#input\_harbor\_password) | The password for the Harbor registry. | `string` | n/a | yes |
 | <a name="input_harbor_username"></a> [harbor\_username](#input\_harbor\_username) | The username for the Harbor registry. | `string` | n/a | yes |
+| <a name="input_kubeconfig"></a> [kubeconfig](#input\_kubeconfig) | Static kubeconfig content of the SKE cluster. | `any` | n/a | yes |
+| <a name="input_kubeconfig_cluster_name"></a> [kubeconfig\_cluster\_name](#input\_kubeconfig\_cluster\_name) | Cluster name used in merged kubeconfig context entries. | `string` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Associated namespace in kubernetes cluster. | `string` | n/a | yes |
+| <a name="input_repository_id"></a> [repository\_id](#input\_repository\_id) | The ID of the Forgejo repository. | `string` | n/a | yes |
+| <a name="input_stage"></a> [stage](#input\_stage) | Deployment stage used for secret suffixing (`dev` or `prod`). | `string` | n/a | yes |
 
 ## Outputs
 

diff --git a/modules/ske/forgejo-connector/buildingblock/forgejo.tf b/modules/ske/forgejo-connector/buildingblock/forgejo.tf
@@ -1,5 +1,9 @@
 locals {
+  stage_suffix = upper(var.stage)
+
   kubeconfig_user = {
+    current-context = var.kubeconfig_cluster_name
+
     users = [
       {
         name = kubernetes_service_account.forgejo_actions.metadata[0].name
@@ -11,45 +15,38 @@ locals {
 
     contexts = [
       {
-        name = "stackit_k8s"
+        name = var.kubeconfig_cluster_name
         context = {
-          cluster   = "stackit_k8s"
+          cluster   = var.kubeconfig_cluster_name
           namespace = var.namespace
           user      = kubernetes_service_account.forgejo_actions.metadata[0].name
         }
       }
     ]
   }
-  kubeconfig = merge(local.stackit_kubeconfig_stub, local.kubeconfig_user)
-}
-
-data "forgejo_repository" "this" {
-  name  = var.forgejo_repository_name
-  owner = var.forgejo_repository_owner
+  kubeconfig = merge(var.kubeconfig, local.kubeconfig_user)
 }
 
 resource "forgejo_repository_action_secret" "kubeconfig" {
-  repository_id = data.forgejo_repository.this.id
-  name          = "KUBECONFIG"
+  repository_id = var.repository_id
+  name          = "KUBECONFIG_${local.stage_suffix}"
   data          = yamlencode(local.kubeconfig)
 }
 
+resource "forgejo_repository_action_secret" "namespace" {
+  repository_id = var.repository_id
+  name          = "K8S_NAMESPACE_${local.stage_suffix}"
+  data          = var.namespace
+}
+
 resource "forgejo_repository_action_secret" "container_registry" {
   for_each = {
     HOST     = var.harbor_host
     USERNAME = var.harbor_username
     PASSWORD = var.harbor_password
   }
 
-  repository_id = data.forgejo_repository.this.id
+  repository_id = var.repository_id
   name          = "STACKIT_HARBOR_${each.key}"
   data          = each.value
 }
-
-resource "forgejo_repository_action_secret" "additional" {
-  for_each = var.additional_environment_variables
-
-  repository_id = data.forgejo_repository.this.id
-  name          = each.key
-  data          = each.value
-}
diff --git a/modules/ske/forgejo-connector/buildingblock/kubernetes.tf b/modules/ske/forgejo-connector/buildingblock/kubernetes.tf
@@ -65,12 +65,12 @@ resource "kubernetes_secret" "image_pull" {
   data = {
     ".dockerconfigjson" = jsonencode({
       auths = {
-        "${local.harbor.host}" = {
-          username = local.harbor.username
-          password = local.harbor.password
-          auth     = base64encode("${local.harbor.username}:${local.harbor.password}")
+        "${var.harbor_host}" = {
+          username = var.harbor_username
+          password = var.harbor_password
+          auth     = base64encode("${var.harbor_username}:${var.harbor_password}")
         }
       }
     })
   }
-}
+}
diff --git a/modules/ske/forgejo-connector/buildingblock/variables.tf b/modules/ske/forgejo-connector/buildingblock/variables.tf
@@ -4,6 +4,17 @@ variable "harbor_host" {
   default     = "https://registry.onstackit.cloud"
 }
 
+variable "kubeconfig" {
+  type        = any
+  description = "Static kubeconfig content of the SKE cluster."
+  sensitive   = true
+}
+
+variable "kubeconfig_cluster_name" {
+  type        = string
+  description = "Cluster name used in merged kubeconfig context entries."
+}
+
 variable "harbor_username" {
   type        = string
   description = "The username for the Harbor registry."
@@ -16,23 +27,22 @@ variable "harbor_password" {
   sensitive   = true
 }
 
-variable "forgejo_repository_name" {
+variable "repository_id" {
   type        = string
-  description = "The name of the Forgejo repository."
+  description = "The ID of the Forgejo repository."
 }
 
-variable "forgejo_repository_owner" {
+variable "stage" {
   type        = string
-  description = "The owner of the Forgejo repository."
-}
+  description = "Deployment stage used for secret suffixing (`dev` or `prod`)."
 
-variable "additional_environment_variables" {
-  type        = map(string)
-  description = "Map of additional environment variable key/value pairs to set as Forgejo repository action secrets."
-  default     = {}
+  validation {
+    condition     = can(regex("^(dev|prod)$", var.stage))
+    error_message = "stage must be either 'dev' or 'prod'."
+  }
 }
 
 variable "namespace" {
   description = "Associated namespace in kubernetes cluster."
   type        = string
-}
+}