[DO-1600] Test use Bank Vault by volumes (!66)

[DO-1600] Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/66
2025-02-28 13:46:11 +03:00
parent 18dab12b99
commit d153756a7f
2 changed files with 26 additions and 14 deletions
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml
@@ -13,8 +13,8 @@ metadata:
    vault.security.banzaicloud.io/vault-path: "avroid-office"
 type: Opaque
 data:
-  gitea_sonarqube_bot_staging_gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
-  gitea_sonarqube_bot_staging_gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
-  gitea_sonarqube_bot_staging_sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
-  gitea_sonarqube_bot_staging_sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
-  gitea_sonarqube_bot_staging_bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0
+  .gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
+  .gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
+  .sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
+  .sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
+  .bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
@@ -59,9 +59,9 @@ app:
      ## User needs "Read project" permissions with access to "Pull Requests"
      ## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
      token:
-        value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.token.value}"
+        # value: ""
        # # or path to file containing the plain text secret
-        # file: /bot/secrets/gitea/user-token
+        file: /bot/secrets/.gitea_token_value

      ## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
      ## request will be ignored.
@@ -70,9 +70,9 @@ app:
      ## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
      ## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
      webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.webhook.secret}"
+        # secret: ""
        # # or path to file containing the plain text secret
-        # secretFile: /bot/secrets/gitea/webhook-secret
+        secretFile: /bot/secrets/.gitea_webhook_secret

    ## SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
    sonarqube:
@@ -83,9 +83,9 @@ app:
      ## User needs "Browse on project" permissions
      ## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
      token:
-        value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.token.value}"
+        # value: ""
        # # or path to file containing the plain text secret
-        # file: /bot/secrets/sonarqube/user-token
+        file: /bot/secrets/.sonarqube_token_value

      ## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
      ## request will be ignored.
@@ -95,9 +95,9 @@ app:
      ## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
      ## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
      webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.webhook.secret}"
+        # secret: ""
        # # or path to file containing the plain text secret
-        # secretFile: /bot/secrets/sonarqube/webhook-secret
+        secretFile: /bot/secrets/.sonarqube_webhook_secret

    ## List of project mappings to take care of. Webhooks for other projects will be ignored.
    ## At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
@@ -123,9 +123,21 @@ app:

    bitbucket:
      webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"
+        secretFile: /bot/secrets/.bitbucket_webhook_secret


+## @param volumes If token and webhook secrets shall be provided via file, volumes and volume mounts can be configured to setup the environment accordingly
+volumes:
+  - name: gitea-sonarqube-bot-staging-secrets
+    secret:
+      secretName: gitea-sonarqube-bot-staging-secret-from-vault
+
+## @param volumeMounts If token and webhook secrets shall be provided via file, volumes and volume mounts can be configured to setup the environment accordingly
+volumeMounts:
+  - name: gitea-sonarqube-bot-staging-secrets
+    readOnly: true
+    mountPath: "/bot/secrets"
+
 ## @section Security parameters

 serviceAccount: