[DO-1600] Test use Bank Vault by volumes (!66)
[DO-1600] Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/66
This commit is contained in:
Denis Patrakeev
@@ -13,8 +13,8 @@ metadata:
|
|||||||
vault.security.banzaicloud.io/vault-path: "avroid-office"
|
vault.security.banzaicloud.io/vault-path: "avroid-office"
|
||||||
type: Opaque
|
type: Opaque
|
||||||
data:
|
data:
|
||||||
gitea_sonarqube_bot_staging_gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
|
.gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
|
||||||
gitea_sonarqube_bot_staging_gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
|
.gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
|
||||||
gitea_sonarqube_bot_staging_sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
|
.sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
|
||||||
gitea_sonarqube_bot_staging_sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
|
.sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
|
||||||
gitea_sonarqube_bot_staging_bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0
|
.bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0
|
||||||
|
|||||||
@@ -59,9 +59,9 @@ app:
|
|||||||
## User needs "Read project" permissions with access to "Pull Requests"
|
## User needs "Read project" permissions with access to "Pull Requests"
|
||||||
## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
|
## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
|
||||||
token:
|
token:
|
||||||
value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.token.value}"
|
# value: ""
|
||||||
# # or path to file containing the plain text secret
|
# # or path to file containing the plain text secret
|
||||||
# file: /bot/secrets/gitea/user-token
|
file: /bot/secrets/.gitea_token_value
|
||||||
|
|
||||||
## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
|
## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
|
||||||
## request will be ignored.
|
## request will be ignored.
|
||||||
@@ -70,9 +70,9 @@ app:
|
|||||||
## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
|
## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
|
||||||
## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
|
## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
|
||||||
webhook:
|
webhook:
|
||||||
secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.webhook.secret}"
|
# secret: ""
|
||||||
# # or path to file containing the plain text secret
|
# # or path to file containing the plain text secret
|
||||||
# secretFile: /bot/secrets/gitea/webhook-secret
|
secretFile: /bot/secrets/.gitea_webhook_secret
|
||||||
|
|
||||||
## SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
|
## SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
|
||||||
sonarqube:
|
sonarqube:
|
||||||
@@ -83,9 +83,9 @@ app:
|
|||||||
## User needs "Browse on project" permissions
|
## User needs "Browse on project" permissions
|
||||||
## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
|
## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
|
||||||
token:
|
token:
|
||||||
value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.token.value}"
|
# value: ""
|
||||||
# # or path to file containing the plain text secret
|
# # or path to file containing the plain text secret
|
||||||
# file: /bot/secrets/sonarqube/user-token
|
file: /bot/secrets/.sonarqube_token_value
|
||||||
|
|
||||||
## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
|
## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
|
||||||
## request will be ignored.
|
## request will be ignored.
|
||||||
@@ -95,9 +95,9 @@ app:
|
|||||||
## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
|
## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
|
||||||
## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
|
## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
|
||||||
webhook:
|
webhook:
|
||||||
secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.webhook.secret}"
|
# secret: ""
|
||||||
# # or path to file containing the plain text secret
|
# # or path to file containing the plain text secret
|
||||||
# secretFile: /bot/secrets/sonarqube/webhook-secret
|
secretFile: /bot/secrets/.sonarqube_webhook_secret
|
||||||
|
|
||||||
## List of project mappings to take care of. Webhooks for other projects will be ignored.
|
## List of project mappings to take care of. Webhooks for other projects will be ignored.
|
||||||
## At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
|
## At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
|
||||||
@@ -123,9 +123,21 @@ app:
|
|||||||
|
|
||||||
bitbucket:
|
bitbucket:
|
||||||
webhook:
|
webhook:
|
||||||
secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"
|
secretFile: /bot/secrets/.bitbucket_webhook_secret
|
||||||
|
|
||||||
|
|
||||||
|
## @param volumes If token and webhook secrets shall be provided via file, volumes and volume mounts can be configured to setup the environment accordingly
|
||||||
|
volumes:
|
||||||
|
- name: gitea-sonarqube-bot-staging-secrets
|
||||||
|
secret:
|
||||||
|
secretName: gitea-sonarqube-bot-staging-secret-from-vault
|
||||||
|
|
||||||
|
## @param volumeMounts If token and webhook secrets shall be provided via file, volumes and volume mounts can be configured to setup the environment accordingly
|
||||||
|
volumeMounts:
|
||||||
|
- name: gitea-sonarqube-bot-staging-secrets
|
||||||
|
readOnly: true
|
||||||
|
mountPath: "/bot/secrets"
|
||||||
|
|
||||||
## @section Security parameters
|
## @section Security parameters
|
||||||
|
|
||||||
serviceAccount:
|
serviceAccount:
|
||||||
|
|||||||
Reference in New Issue
Block a user