[DO-1600] Change use Bank Vault by custom secret (!63)
[DO-1600] Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/63
This commit is contained in:
Denis Patrakeev
@@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/managed-by: argocd
|
||||||
|
name: gitea-sonarqube-bot-staging-secret-from-vault
|
||||||
|
namespace: avroid-staging
|
||||||
|
annotations:
|
||||||
|
vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
|
||||||
|
vault.security.banzaicloud.io/vault-role: "avroid-staging"
|
||||||
|
vault.security.banzaicloud.io/vault-skip-verify: "false"
|
||||||
|
vault.security.banzaicloud.io/vault-path: "avroid-office"
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
gitea_sonarqube_bot_staging_gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
|
||||||
|
gitea_sonarqube_bot_staging_gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
|
||||||
|
gitea_sonarqube_bot_staging_sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
|
||||||
|
gitea_sonarqube_bot_staging_sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
|
||||||
|
gitea_sonarqube_bot_staging_bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0
|
||||||
@@ -34,13 +34,6 @@ resources:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/worker: ""
|
node-role.kubernetes.io/worker: ""
|
||||||
|
|
||||||
## @param podAnnotations Pod annotations.
|
|
||||||
podAnnotations:
|
|
||||||
vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
|
|
||||||
vault.security.banzaicloud.io/vault-role: "avroid-staging"
|
|
||||||
vault.security.banzaicloud.io/vault-skip-verify: "false"
|
|
||||||
vault.security.banzaicloud.io/vault-path: "avroid-office"
|
|
||||||
|
|
||||||
## @section App parameters
|
## @section App parameters
|
||||||
|
|
||||||
app:
|
app:
|
||||||
@@ -59,7 +52,7 @@ app:
|
|||||||
## User needs "Read project" permissions with access to "Pull Requests"
|
## User needs "Read project" permissions with access to "Pull Requests"
|
||||||
## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
|
## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
|
||||||
token:
|
token:
|
||||||
value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.token.value}"
|
value: "$gitea_sonarqube_bot_staging_gitea_token_value"
|
||||||
# # or path to file containing the plain text secret
|
# # or path to file containing the plain text secret
|
||||||
# file: /bot/secrets/gitea/user-token
|
# file: /bot/secrets/gitea/user-token
|
||||||
|
|
||||||
@@ -70,7 +63,7 @@ app:
|
|||||||
## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
|
## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
|
||||||
## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
|
## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
|
||||||
webhook:
|
webhook:
|
||||||
secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.webhook.secret}"
|
secret: "$gitea_sonarqube_bot_staging_gitea_webhook_secret"
|
||||||
# # or path to file containing the plain text secret
|
# # or path to file containing the plain text secret
|
||||||
# secretFile: /bot/secrets/gitea/webhook-secret
|
# secretFile: /bot/secrets/gitea/webhook-secret
|
||||||
|
|
||||||
@@ -83,7 +76,7 @@ app:
|
|||||||
## User needs "Browse on project" permissions
|
## User needs "Browse on project" permissions
|
||||||
## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
|
## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
|
||||||
token:
|
token:
|
||||||
value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.token.value}"
|
value: "$gitea_sonarqube_bot_staging_sonarqube_token_value"
|
||||||
# # or path to file containing the plain text secret
|
# # or path to file containing the plain text secret
|
||||||
# file: /bot/secrets/sonarqube/user-token
|
# file: /bot/secrets/sonarqube/user-token
|
||||||
|
|
||||||
@@ -95,7 +88,7 @@ app:
|
|||||||
## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
|
## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
|
||||||
## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
|
## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
|
||||||
webhook:
|
webhook:
|
||||||
secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.webhook.secret}"
|
secret: "$gitea_sonarqube_bot_staging_sonarqube_webhook_secret"
|
||||||
# # or path to file containing the plain text secret
|
# # or path to file containing the plain text secret
|
||||||
# secretFile: /bot/secrets/sonarqube/webhook-secret
|
# secretFile: /bot/secrets/sonarqube/webhook-secret
|
||||||
|
|
||||||
@@ -123,15 +116,7 @@ app:
|
|||||||
|
|
||||||
bitbucket:
|
bitbucket:
|
||||||
webhook:
|
webhook:
|
||||||
secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"
|
secret: "$gitea_sonarqube_bot_staging_bitbucket_webhook_secret"
|
||||||
|
|
||||||
## @section Security parameters
|
|
||||||
|
|
||||||
serviceAccount:
|
|
||||||
## @param serviceAccount.create Specifies whether a service account should be created
|
|
||||||
create: false
|
|
||||||
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
|
|
||||||
name: "vault"
|
|
||||||
|
|
||||||
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
||||||
ingress:
|
ingress:
|
||||||
|
|||||||
Reference in New Issue
Block a user