63 lines
1.5 KiB
YAML
63 lines
1.5 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: woodpecker-secret
|
|
namespace: woodpecker
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: woodpecker
|
|
namespace: woodpecker
|
|
spec:
|
|
method: kubernetes
|
|
mount: kubernetes
|
|
kubernetes:
|
|
role: woodpecker
|
|
serviceAccount: woodpecker-secret
|
|
---
|
|
# Main woodpecker secrets from Vault
|
|
# Requires vault kv put secret/woodpecker \
|
|
# WOODPECKER_AGENT_SECRET="$(openssl rand -hex 32)" \
|
|
# WOODPECKER_GITEA_CLIENT="<gitea-oauth-client>" \
|
|
# WOODPECKER_GITEA_SECRET="<gitea-oauth-secret>"
|
|
# Note: Database password comes from CNPG secret (woodpecker-postgresql-cluster-app)
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: woodpecker-secrets
|
|
namespace: woodpecker
|
|
spec:
|
|
type: kv-v2
|
|
mount: secret
|
|
path: woodpecker
|
|
destination:
|
|
create: true
|
|
name: woodpecker-secrets
|
|
type: Opaque
|
|
transformation:
|
|
excludeRaw: true
|
|
vaultAuthRef: woodpecker
|
|
---
|
|
# Container registry credentials for Kaniko
|
|
# Requires vault kv put secret/container-registry \
|
|
# REGISTRY_USERNAME="<username>" \
|
|
# REGISTRY_PASSWORD="<token>"
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: container-registry
|
|
namespace: woodpecker
|
|
spec:
|
|
type: kv-v2
|
|
mount: secret
|
|
path: container-registry
|
|
destination:
|
|
create: true
|
|
name: container-registry
|
|
type: Opaque
|
|
transformation:
|
|
excludeRaw: true
|
|
vaultAuthRef: woodpecker
|