diff --git a/apps/renovate/cronjob.yaml b/apps/renovate/cronjob.yaml index b163881..ca346d9 100644 --- a/apps/renovate/cronjob.yaml +++ b/apps/renovate/cronjob.yaml @@ -18,7 +18,7 @@ spec: image: renovate/renovate:40.11.6-full envFrom: - secretRef: - name: renovate-env + name: renovate-gitea-token - configMapRef: name: renovate-config restartPolicy: Never diff --git a/apps/renovate/kustomization.yaml b/apps/renovate/kustomization.yaml index e63930f..d9465a6 100644 --- a/apps/renovate/kustomization.yaml +++ b/apps/renovate/kustomization.yaml @@ -3,4 +3,5 @@ kind: Kustomization resources: - namespace.yaml - configmap.yaml + - secret.yaml - cronjob.yaml diff --git a/apps/renovate/secret.yaml b/apps/renovate/secret.yaml new file mode 100644 index 0000000..aeb4e7f --- /dev/null +++ b/apps/renovate/secret.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: renovate + namespace: renovate +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: renovate + namespace: renovate +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: renovate + serviceAccount: renovate +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: renovate-gitea-token + namespace: renovate +spec: + type: kv-v2 + + mount: secret + path: renovate + + destination: + create: true + name: renovate-gitea-token + type: Opaque + transformation: + excludeRaw: true + + vaultAuthRef: renovate diff --git a/vault/kubernetes-roles/renovate.yaml b/vault/kubernetes-roles/renovate.yaml new file mode 100644 index 0000000..f8cb9bc --- /dev/null +++ b/vault/kubernetes-roles/renovate.yaml @@ -0,0 +1,6 @@ +bound_service_account_names: + - renovate +bound_service_account_namespaces: + - renovate +token_policies: + - renovate diff --git a/vault/policy/renovate.hcl b/vault/policy/renovate.hcl new file mode 100644 index 0000000..01c980a --- /dev/null +++ b/vault/policy/renovate.hcl @@ -0,0 +1,3 @@ +path "secret/data/renovate" { + capabilities = ["read"] +}