From 8cb705fecc9dba3390dfb2bebc884e06dc87e104 Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Mon, 2 Mar 2026 18:33:16 +0000 Subject: [PATCH] feat(devtools): migrate Gitea to OpenBao DB static role; sync admin creds via VSO - gitea-db-credentials is now a VaultDynamicSecret reading from database/static-creds/gitea (OpenBao static role, 24h password rotation). Replaces the previous KV-based Secret that used a hardcoded localdev password. - gitea-admin-credentials and gitea-s3-credentials remain VaultStaticSecrets synced from secret/gitea and secret/seaweedfs respectively. - gitea-values.yaml adds gitea.admin.existingSecret so the chart reads the admin username/password from the VSO-managed Secret instead of values. --- base/devtools/gitea-values.yaml | 5 ++ base/devtools/kustomization.yaml | 1 + base/devtools/vault-secrets.yaml | 82 ++++++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+) create mode 100644 base/devtools/vault-secrets.yaml diff --git a/base/devtools/gitea-values.yaml b/base/devtools/gitea-values.yaml index 88fc6d4..50ced7c 100644 --- a/base/devtools/gitea-values.yaml +++ b/base/devtools/gitea-values.yaml @@ -13,6 +13,11 @@ valkey: enabled: false gitea: + admin: + username: gitea_admin + existingSecret: gitea-admin-credentials + email: gitea@local.domain + config: server: DOMAIN: src.DOMAIN_SUFFIX diff --git a/base/devtools/kustomization.yaml b/base/devtools/kustomization.yaml index d51ffb7..bd786e1 100644 --- a/base/devtools/kustomization.yaml +++ b/base/devtools/kustomization.yaml @@ -5,6 +5,7 @@ namespace: devtools resources: - namespace.yaml + - vault-secrets.yaml helmCharts: # helm repo add gitea-charts https://dl.gitea.com/charts/ diff --git a/base/devtools/vault-secrets.yaml b/base/devtools/vault-secrets.yaml new file mode 100644 index 0000000..5da8bdb --- /dev/null +++ b/base/devtools/vault-secrets.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vso-auth + namespace: devtools +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: vso + serviceAccount: default +--- +# Gitea DB credentials from OpenBao database secrets engine (static role, 24h rotation). +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultDynamicSecret +metadata: + name: gitea-db-credentials + namespace: devtools +spec: + vaultAuthRef: vso-auth + mount: database + path: static-creds/gitea + refreshAfter: 1h + rolloutRestartTargets: + - kind: StatefulSet + name: gitea + destination: + name: gitea-db-credentials + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + password: + text: "{{ index .Secrets \"password\" }}" +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: gitea-s3-credentials + namespace: devtools +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: seaweedfs + refreshAfter: 30s + destination: + name: gitea-s3-credentials + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + "access-key": + text: "{{ index .Secrets \"access-key\" }}" + "secret-key": + text: "{{ index .Secrets \"secret-key\" }}" +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: gitea-admin-credentials + namespace: devtools +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: gitea + refreshAfter: 30s + destination: + name: gitea-admin-credentials + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + username: + text: "{{ index .Secrets \"admin-username\" }}" + password: + text: "{{ index .Secrets \"admin-password\" }}"