feat(devtools): migrate Gitea to OpenBao DB static role; sync admin creds via VSO
- gitea-db-credentials is now a VaultDynamicSecret reading from database/static-creds/gitea (OpenBao static role, 24h password rotation). Replaces the previous KV-based Secret that used a hardcoded localdev password. - gitea-admin-credentials and gitea-s3-credentials remain VaultStaticSecrets synced from secret/gitea and secret/seaweedfs respectively. - gitea-values.yaml adds gitea.admin.existingSecret so the chart reads the admin username/password from the VSO-managed Secret instead of values.
This commit is contained in:
@@ -13,6 +13,11 @@ valkey:
|
||||
enabled: false
|
||||
|
||||
gitea:
|
||||
admin:
|
||||
username: gitea_admin
|
||||
existingSecret: gitea-admin-credentials
|
||||
email: gitea@local.domain
|
||||
|
||||
config:
|
||||
server:
|
||||
DOMAIN: src.DOMAIN_SUFFIX
|
||||
|
||||
@@ -5,6 +5,7 @@ namespace: devtools
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- vault-secrets.yaml
|
||||
|
||||
helmCharts:
|
||||
# helm repo add gitea-charts https://dl.gitea.com/charts/
|
||||
|
||||
82
base/devtools/vault-secrets.yaml
Normal file
82
base/devtools/vault-secrets.yaml
Normal file
@@ -0,0 +1,82 @@
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vso-auth
|
||||
namespace: devtools
|
||||
spec:
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
||||
kubernetes:
|
||||
role: vso
|
||||
serviceAccount: default
|
||||
---
|
||||
# Gitea DB credentials from OpenBao database secrets engine (static role, 24h rotation).
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultDynamicSecret
|
||||
metadata:
|
||||
name: gitea-db-credentials
|
||||
namespace: devtools
|
||||
spec:
|
||||
vaultAuthRef: vso-auth
|
||||
mount: database
|
||||
path: static-creds/gitea
|
||||
refreshAfter: 1h
|
||||
rolloutRestartTargets:
|
||||
- kind: StatefulSet
|
||||
name: gitea
|
||||
destination:
|
||||
name: gitea-db-credentials
|
||||
create: true
|
||||
overwrite: true
|
||||
transformation:
|
||||
excludeRaw: true
|
||||
templates:
|
||||
password:
|
||||
text: "{{ index .Secrets \"password\" }}"
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: gitea-s3-credentials
|
||||
namespace: devtools
|
||||
spec:
|
||||
vaultAuthRef: vso-auth
|
||||
mount: secret
|
||||
type: kv-v2
|
||||
path: seaweedfs
|
||||
refreshAfter: 30s
|
||||
destination:
|
||||
name: gitea-s3-credentials
|
||||
create: true
|
||||
overwrite: true
|
||||
transformation:
|
||||
excludeRaw: true
|
||||
templates:
|
||||
"access-key":
|
||||
text: "{{ index .Secrets \"access-key\" }}"
|
||||
"secret-key":
|
||||
text: "{{ index .Secrets \"secret-key\" }}"
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: gitea-admin-credentials
|
||||
namespace: devtools
|
||||
spec:
|
||||
vaultAuthRef: vso-auth
|
||||
mount: secret
|
||||
type: kv-v2
|
||||
path: gitea
|
||||
refreshAfter: 30s
|
||||
destination:
|
||||
name: gitea-admin-credentials
|
||||
create: true
|
||||
overwrite: true
|
||||
transformation:
|
||||
excludeRaw: true
|
||||
templates:
|
||||
username:
|
||||
text: "{{ index .Secrets \"admin-username\" }}"
|
||||
password:
|
||||
text: "{{ index .Secrets \"admin-password\" }}"
|
||||
Reference in New Issue
Block a user