add woodpecker ci

apps/woodpecker/secret.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: woodpecker-secret
+  namespace: woodpecker
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: woodpecker
+  namespace: woodpecker
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: woodpecker
+    serviceAccount: woodpecker-secret
+---
+# Main woodpecker secrets from Vault
+# Requires vault kv put secret/woodpecker \
+#   WOODPECKER_AGENT_SECRET="$(openssl rand -hex 32)" \
+#   WOODPECKER_GITEA_CLIENT="<gitea-oauth-client>" \
+#   WOODPECKER_GITEA_SECRET="<gitea-oauth-secret>"
+# Note: Database password comes from CNPG secret (woodpecker-postgresql-cluster-app)
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: woodpecker-secrets
+  namespace: woodpecker
+spec:
+  type: kv-v2
+  mount: secret
+  path: woodpecker
+  destination:
+    create: true
+    name: woodpecker-secrets
+    type: Opaque
+    transformation:
+      excludeRaw: true
+  vaultAuthRef: woodpecker
+---
+# Container registry credentials for Kaniko
+# Requires vault kv put secret/container-registry \
+#   REGISTRY_USERNAME="<username>" \
+#   REGISTRY_PASSWORD="<token>"
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: container-registry
+  namespace: woodpecker
+spec:
+  type: kv-v2
+  mount: secret
+  path: container-registry
+  destination:
+    create: true
+    name: container-registry
+    type: Opaque
+    transformation:
+      excludeRaw: true
+  vaultAuthRef: woodpecker