50 lines
1.7 KiB
YAML
50 lines
1.7 KiB
YAML
when:
|
|
- event: push
|
|
branch: fresh-start
|
|
|
|
skip_clone: true
|
|
|
|
steps:
|
|
- name: Get kubernetes access from OpenBao
|
|
image: quay.io/openbao/openbao:2.5.2
|
|
environment:
|
|
VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
|
|
ROLE_ID:
|
|
from_secret: flux_reconcile_role_id
|
|
SECRET_ID:
|
|
from_secret: flux_reconcile_secret_id
|
|
commands:
|
|
- bao write -field token auth/approle/login
|
|
role_id=$ROLE_ID
|
|
secret_id=$SECRET_ID > /woodpecker/.vault_id
|
|
- export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
|
|
- bao write -format json -f /kubernetes/creds/flux-reconcile > /woodpecker/kube_credentials
|
|
- name: Construct Kubeconfig
|
|
image: alpine/k8s:1.32.13
|
|
environment:
|
|
KUBECONFIG: /woodpecker/kubeconfig
|
|
commands:
|
|
- kubectl config set-cluster cluster
|
|
--server=https://$KUBERNETES_SERVICE_HOST
|
|
--client-certificate=/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
- kubectl config set-credentials cluster
|
|
--token=$(jq -r .data.service_account_token /woodpecker/kube_credentials)
|
|
- kubectl config set-context cluster
|
|
--cluster cluster
|
|
--user cluster
|
|
--namespace flux-system
|
|
--current=true
|
|
- name: Reconcile git source
|
|
image: ghcr.io/fluxcd/flux-cli:v2.8.3
|
|
environment:
|
|
KUBECONFIG: /woodpecker/kubeconfig
|
|
commands:
|
|
- flux reconcile source git flux-system
|
|
- name: Invalidate OpenBao token
|
|
image: quay.io/openbao/openbao:2.5.2
|
|
environment:
|
|
VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
|
|
commands:
|
|
- export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
|
|
- bao write -f auth/token/revoke-self
|