parent
1926560274
commit
4c82c014f8
@ -1,3 +1,46 @@ |
|||||||
local appDef = import './app-definitions.libsonnet'; |
local appDef = import './app-definitions.libsonnet'; |
||||||
|
|
||||||
appDef.localApplication(name="drone") |
[ |
||||||
|
appDef.localApplication(name="drone"), |
||||||
|
|
||||||
|
// TODO - maybe extract this, too? |
||||||
|
{ |
||||||
|
apiVersion: "secrets.hashicorp.com/v1beta1", |
||||||
|
kind: "VaultAuth", |
||||||
|
metadata: { |
||||||
|
name: "static-auth", |
||||||
|
namespace: "drone" |
||||||
|
}, |
||||||
|
spec: { |
||||||
|
method: "kubernetes", |
||||||
|
mount: "kubernetes", |
||||||
|
kubernetes: { |
||||||
|
role: "vault-secrets-operator", |
||||||
|
serviceAccount: "default", |
||||||
|
audiences: ["vault"] |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
|
||||||
|
// Note that currently this secret is created manually and statically. It'd be really cool for cold-start setup if OAuth |
||||||
|
// App creation could be triggered at Gitea startup, and a secret automatically created! |
||||||
|
{ |
||||||
|
apiVersion: "secrets.hashicorp.com/v1beta1", |
||||||
|
kind: "VaultStaticSecret", |
||||||
|
metadata: { |
||||||
|
name: "gitea-oauth-creds", |
||||||
|
namespace: "drone" |
||||||
|
}, |
||||||
|
spec: { |
||||||
|
type: "kv-v2", |
||||||
|
mount: "shared-secrets", |
||||||
|
path: "gitea/oauth-creds", |
||||||
|
destination: { |
||||||
|
name: "gitea-oauth-creds", |
||||||
|
create: true |
||||||
|
}, |
||||||
|
refreshAfter: "30s", |
||||||
|
vaultAuthRef: "static-auth" |
||||||
|
} |
||||||
|
} |
||||||
|
] |
Loading…
Reference in new issue