58 lines
1.7 KiB
YAML
58 lines
1.7 KiB
YAML
when:
|
|
- event: push
|
|
branch: fresh-start
|
|
|
|
skip_clone: true
|
|
|
|
steps:
|
|
- name: Get kubernetes access from OpenBao
|
|
image: quay.io/openbao/openbao:2.5.2
|
|
volumes:
|
|
- secrets:/secrets
|
|
environment:
|
|
ROLE_ID:
|
|
from_secret: flux_reconcile_role_id
|
|
SECRET_ID:
|
|
from_secret: flux_reconcile_secret_id
|
|
commands:
|
|
- bao write -field token auth/approle/login
|
|
role_id=$ROLE_ID
|
|
secret_id=$SECRET_ID
|
|
\> /secrets/.vault_id
|
|
- export VAULT_TOKEN=$(cat /secrets/.vault_id)
|
|
- bao write -format json /kubernetes/creds/flux-reconcile
|
|
\> /secrets/kube_credentials
|
|
- bao read -format
|
|
- name: Construct Kubeconfig
|
|
image: alpine/k8s:1.32.13
|
|
volumes:
|
|
- secrets:/secrets
|
|
environment:
|
|
KUBECONFIG: /secrets/kubeconfig
|
|
commands:
|
|
- kubectl config set-cluster cluster
|
|
--server=https://$KUBERNETES_SERVICE_HOST
|
|
--client-certificate=/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
- kubectl config set-credentials cluster
|
|
--token=$(jq -r .data.service_account_token /secrets/kube_credentials)
|
|
- kubectl config set-context cluster
|
|
--cluster cluster
|
|
--user cluster
|
|
--namespace flux-system
|
|
--current=true
|
|
- name: Reconcile git source
|
|
image: ghcr.io/fluxcd/flux-cli:v2.8.3
|
|
volumes:
|
|
- secrets:/secrets
|
|
environment:
|
|
KUBECONFIG: /secrets/kubeconfig
|
|
commands:
|
|
- flux reconcile source git flux-system
|
|
- name: Invalidate OpenBao token
|
|
image: quay.io/openbao/openbao:2.5.2
|
|
volumes:
|
|
- secrets:/secrets
|
|
commands:
|
|
- export VAULT_TOKEN=$(cat /secrets/.vault_id)
|
|
- bao write auth/token/revoke-self
|