[DO-1600] Fix use Bank VAult in avroid-staging (!62)

[DO-1600] Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/62
2025-02-26 19:54:16 +03:00
parent 87cf1a1380
commit 649e0ad589
4 changed files with 35 additions and 3 deletions
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/.rbac/argocd-apps-harbor-registry-secret.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/.rbac/argocd-apps-harbor-registry-secret.yaml
@@ -6,6 +6,11 @@ metadata:
    app.kubernetes.io/managed-by: argocd
  name: harbor-registry-secret
  namespace: avroid-prod
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
+    vault.security.banzaicloud.io/vault-role: "avroid-staging"
+    vault.security.banzaicloud.io/vault-skip-verify: "false"
+    vault.security.banzaicloud.io/vault-path: "avroid-office"
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo=
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-harbor-registry-secret.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-harbor-registry-secret.yaml
@@ -6,6 +6,11 @@ metadata:
    app.kubernetes.io/managed-by: argocd
  name: harbor-registry-secret
  namespace: avroid-staging
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
+    vault.security.banzaicloud.io/vault-role: "avroid-staging"
+    vault.security.banzaicloud.io/vault-skip-verify: "false"
+    vault.security.banzaicloud.io/vault-path: "avroid-office"
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo=
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
@@ -34,6 +34,13 @@ resources:
 nodeSelector:
  node-role.kubernetes.io/worker: ""

+## @param podAnnotations Pod annotations.
+podAnnotations:
+  vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
+  vault.security.banzaicloud.io/vault-role: "avroid-staging"
+  vault.security.banzaicloud.io/vault-skip-verify: "false"
+  vault.security.banzaicloud.io/vault-path: "avroid-office"
+
 ## @section App parameters

 app:
@@ -118,6 +125,14 @@ app:
      webhook:
        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"

+## @section Security parameters
+
+serviceAccount:
+  ## @param serviceAccount.create Specifies whether a service account should be created
+  create: false
+  ## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
+  name: "vault"
+
 ## ref: https://kubernetes.io/docs/user-guide/ingress/
 ingress: