vault migration

2026-04-30 22:38:33 +02:00
parent 2e09a2d404
commit 73376a0a7d
49 changed files with 1103 additions and 272 deletions
--- a/infra/base/gitea/gitea-backup-s3-vault.yaml
+++ b/infra/base/gitea/gitea-backup-s3-vault.yaml
@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-s3
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-backup-s3
+  destination:
+    name: gitea-backup-s3
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-credentials-vault.yaml
+++ b/infra/base/gitea/gitea-credentials-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-credentials
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-credentials
+  destination:
+    name: gitea-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-runner-token-vault.yaml
+++ b/infra/base/gitea/gitea-runner-token-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-runner-token
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-runner-token
+  destination:
+    name: gitea-runner-token
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-smtp-secret-vault.yaml
+++ b/infra/base/gitea/gitea-smtp-secret-vault.yaml
@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-smtp-secret
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-smtp-secret
+  destination:
+    name: gitea-smtp-secret
+    create: true
+    type: Opaque
+    labels:
+      allowedToBeCloned: "true"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/gitea/kustomization.yaml
+++ b/infra/base/gitea/kustomization.yaml
@@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
- gitea-backup-s3-sealed.yaml
- gitea-credentials-sealed.yaml
- gitea-runner-token-sealed.yaml
- gitea-smtp-secret-sealed.yaml
+- vault-auth.yaml
+- gitea-credentials-vault.yaml
+- gitea-backup-s3-vault.yaml
+- gitea-smtp-secret-vault.yaml
+- gitea-runner-token-vault.yaml
+# Removed: gitea-*-sealed.yaml (migrated to VSO)
--- a/infra/base/gitea/vault-auth.yaml
+++ b/infra/base/gitea/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-gitea
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-gitea
+    serviceAccount: vault-auth-gitea
+    audiences:
+    - vault