Lumpiasty/klaster
0
0
Fork 0
Code Issues Pull Requests 4 Packages Projects Releases Wiki Activity

move renovate gitea token to vault

Browse Source
This commit is contained in:
Lumpiasty
2025-05-17 22:51:15 +02:00
parent 5f3a775201
commit af29de91d6
5 changed files with 49 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/renovate/cronjob.yaml
View File

@@ -18,7 +18,7 @@ spec:
image: renovate/renovate:40.11.6-full image: renovate/renovate:40.11.6-full
envFrom: envFrom:
- secretRef: - secretRef:
name: renovate-env name: renovate-gitea-token
- configMapRef: - configMapRef:
name: renovate-config name: renovate-config
restartPolicy: Never restartPolicy: Never

1
apps/renovate/kustomization.yaml
View File

@@ -3,4 +3,5 @@ kind: Kustomization
resources: resources:
- namespace.yaml - namespace.yaml
- configmap.yaml - configmap.yaml
- secret.yaml
- cronjob.yaml - cronjob.yaml

38
apps/renovate/secret.yaml Normal file
View File

@@ -0,0 +1,38 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: renovate
namespace: renovate
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: renovate
namespace: renovate
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: renovate
serviceAccount: renovate
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: renovate-gitea-token
namespace: renovate
spec:
type: kv-v2
mount: secret
path: renovate
destination:
create: true
name: renovate-gitea-token
type: Opaque
transformation:
excludeRaw: true
vaultAuthRef: renovate

6
vault/kubernetes-roles/renovate.yaml Normal file
View File

@@ -0,0 +1,6 @@
bound_service_account_names:
- renovate
bound_service_account_namespaces:
- renovate
token_policies:
- renovate

3
vault/policy/renovate.hcl Normal file
View File

@@ -0,0 +1,3 @@
path "secret/data/renovate" {
capabilities = ["read"]
}