65 lines
1.6 KiB
Jsonnet
65 lines
1.6 KiB
Jsonnet
local appDef = import './app-definitions.libsonnet';
|
|
|
|
[
|
|
appDef.localApplication(name="drone"),
|
|
|
|
// TODO - maybe extract this, too?
|
|
{
|
|
apiVersion: "secrets.hashicorp.com/v1beta1",
|
|
kind: "VaultAuth",
|
|
metadata: {
|
|
name: "static-auth",
|
|
namespace: "drone"
|
|
},
|
|
spec: {
|
|
method: "kubernetes",
|
|
mount: "kubernetes",
|
|
kubernetes: {
|
|
role: "vault-secrets-operator",
|
|
serviceAccount: "default",
|
|
audiences: ["vault"]
|
|
}
|
|
}
|
|
},
|
|
|
|
// Note that currently this secret is created manually and statically. It'd be really cool for cold-start setup if OAuth
|
|
// App creation could be triggered at Gitea startup, and a secret automatically created!
|
|
{
|
|
apiVersion: "secrets.hashicorp.com/v1beta1",
|
|
kind: "VaultStaticSecret",
|
|
metadata: {
|
|
name: "gitea-oauth-creds",
|
|
namespace: "drone"
|
|
},
|
|
spec: {
|
|
type: "kv-v2",
|
|
mount: "shared-secrets",
|
|
path: "gitea/oauth-creds",
|
|
destination: {
|
|
name: "gitea-oauth-creds",
|
|
create: true
|
|
},
|
|
refreshAfter: "30s",
|
|
vaultAuthRef: "static-auth"
|
|
}
|
|
},
|
|
{
|
|
apiVersion: "secrets.hashicorp.com/v1beta1",
|
|
kind: "VaultStaticSecret",
|
|
metadata: {
|
|
name: "mastodon-creds",
|
|
namespace: "drone"
|
|
},
|
|
spec: {
|
|
type: "kv-v2",
|
|
mount: "shared-secrets",
|
|
path: "mastodon/creds",
|
|
destination: {
|
|
name: "mastodon-creds",
|
|
create: true
|
|
},
|
|
refreshAfter: "30s",
|
|
vaultAuthRef: "static-auth"
|
|
}
|
|
}
|
|
] |