2026-01-28 19:50:38 -08:00
|
|
|
# ExternalSecret for Forgejo Runner environment
|
|
|
|
|
#
|
|
|
|
|
# Replaces the manual op inject workflow from secret.yaml.tpl
|
|
|
|
|
#
|
|
|
|
|
# 1Password item: "Forgejo Secrets" in blumeops vault
|
2026-02-03 16:58:03 -08:00
|
|
|
# Fields:
|
|
|
|
|
# - runner_reg: Runner registration token
|
|
|
|
|
# - argocd_token: API token for workflow-bot account (for auto-deploying docs)
|
2026-01-28 19:50:38 -08:00
|
|
|
#
|
|
|
|
|
# Note: Static values (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) are included
|
|
|
|
|
# via template since they don't need to be in 1Password.
|
|
|
|
|
#
|
|
|
|
|
apiVersion: external-secrets.io/v1
|
|
|
|
|
kind: ExternalSecret
|
|
|
|
|
metadata:
|
|
|
|
|
name: forgejo-runner-env
|
|
|
|
|
namespace: forgejo-runner
|
|
|
|
|
spec:
|
|
|
|
|
refreshInterval: 1h
|
|
|
|
|
secretStoreRef:
|
|
|
|
|
kind: ClusterSecretStore
|
|
|
|
|
name: onepassword-blumeops
|
|
|
|
|
target:
|
|
|
|
|
name: forgejo-runner-env
|
2026-01-28 20:27:16 -08:00
|
|
|
creationPolicy: Owner
|
2026-01-28 19:50:38 -08:00
|
|
|
template:
|
|
|
|
|
data:
|
|
|
|
|
FORGEJO_URL: "https://forge.ops.eblu.me"
|
|
|
|
|
RUNNER_NAME: "k8s-runner"
|
2026-02-03 17:13:37 -08:00
|
|
|
RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v2.5.0"
|
2026-01-28 19:50:38 -08:00
|
|
|
RUNNER_TOKEN: "{{ .runner_token }}"
|
2026-02-03 16:58:03 -08:00
|
|
|
ARGOCD_AUTH_TOKEN: "{{ .argocd_token }}"
|
2026-01-28 19:50:38 -08:00
|
|
|
data:
|
|
|
|
|
- secretKey: runner_token
|
|
|
|
|
remoteRef:
|
|
|
|
|
key: Forgejo Secrets
|
|
|
|
|
property: runner_reg
|
2026-02-03 16:58:03 -08:00
|
|
|
- secretKey: argocd_token
|
|
|
|
|
remoteRef:
|
|
|
|
|
key: Forgejo Secrets
|
|
|
|
|
property: argocd_token
|
