feat(devtools): migrate Gitea to OpenBao DB static role; sync admin creds via VSO
- gitea-db-credentials is now a VaultDynamicSecret reading from database/static-creds/gitea (OpenBao static role, 24h password rotation). Replaces the previous KV-based Secret that used a hardcoded localdev password. - gitea-admin-credentials and gitea-s3-credentials remain VaultStaticSecrets synced from secret/gitea and secret/seaweedfs respectively. - gitea-values.yaml adds gitea.admin.existingSecret so the chart reads the admin username/password from the VSO-managed Secret instead of values.
This commit is contained in:
@@ -13,6 +13,11 @@ valkey:
|
|||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
|
admin:
|
||||||
|
username: gitea_admin
|
||||||
|
existingSecret: gitea-admin-credentials
|
||||||
|
email: gitea@local.domain
|
||||||
|
|
||||||
config:
|
config:
|
||||||
server:
|
server:
|
||||||
DOMAIN: src.DOMAIN_SUFFIX
|
DOMAIN: src.DOMAIN_SUFFIX
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ namespace: devtools
|
|||||||
|
|
||||||
resources:
|
resources:
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
|
- vault-secrets.yaml
|
||||||
|
|
||||||
helmCharts:
|
helmCharts:
|
||||||
# helm repo add gitea-charts https://dl.gitea.com/charts/
|
# helm repo add gitea-charts https://dl.gitea.com/charts/
|
||||||
|
|||||||
82
base/devtools/vault-secrets.yaml
Normal file
82
base/devtools/vault-secrets.yaml
Normal file
@@ -0,0 +1,82 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: vso-auth
|
||||||
|
namespace: devtools
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: kubernetes
|
||||||
|
kubernetes:
|
||||||
|
role: vso
|
||||||
|
serviceAccount: default
|
||||||
|
---
|
||||||
|
# Gitea DB credentials from OpenBao database secrets engine (static role, 24h rotation).
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultDynamicSecret
|
||||||
|
metadata:
|
||||||
|
name: gitea-db-credentials
|
||||||
|
namespace: devtools
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: vso-auth
|
||||||
|
mount: database
|
||||||
|
path: static-creds/gitea
|
||||||
|
refreshAfter: 1h
|
||||||
|
rolloutRestartTargets:
|
||||||
|
- kind: StatefulSet
|
||||||
|
name: gitea
|
||||||
|
destination:
|
||||||
|
name: gitea-db-credentials
|
||||||
|
create: true
|
||||||
|
overwrite: true
|
||||||
|
transformation:
|
||||||
|
excludeRaw: true
|
||||||
|
templates:
|
||||||
|
password:
|
||||||
|
text: "{{ index .Secrets \"password\" }}"
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: gitea-s3-credentials
|
||||||
|
namespace: devtools
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: vso-auth
|
||||||
|
mount: secret
|
||||||
|
type: kv-v2
|
||||||
|
path: seaweedfs
|
||||||
|
refreshAfter: 30s
|
||||||
|
destination:
|
||||||
|
name: gitea-s3-credentials
|
||||||
|
create: true
|
||||||
|
overwrite: true
|
||||||
|
transformation:
|
||||||
|
excludeRaw: true
|
||||||
|
templates:
|
||||||
|
"access-key":
|
||||||
|
text: "{{ index .Secrets \"access-key\" }}"
|
||||||
|
"secret-key":
|
||||||
|
text: "{{ index .Secrets \"secret-key\" }}"
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: gitea-admin-credentials
|
||||||
|
namespace: devtools
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: vso-auth
|
||||||
|
mount: secret
|
||||||
|
type: kv-v2
|
||||||
|
path: gitea
|
||||||
|
refreshAfter: 30s
|
||||||
|
destination:
|
||||||
|
name: gitea-admin-credentials
|
||||||
|
create: true
|
||||||
|
overwrite: true
|
||||||
|
transformation:
|
||||||
|
excludeRaw: true
|
||||||
|
templates:
|
||||||
|
username:
|
||||||
|
text: "{{ index .Secrets \"admin-username\" }}"
|
||||||
|
password:
|
||||||
|
text: "{{ index .Secrets \"admin-password\" }}"
|
||||||
Reference in New Issue
Block a user