Add Kingfisher secret scanner CronJob

Weekly scan of all Forgejo repos (Sunday 4am) using MongoDB's
Kingfisher tool. Produces HTML and JSON reports on sifaka NFS.
Uses official container image with Forgejo API token via
ExternalSecret from 1Password.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

argocd/apps/kingfisher.yaml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kingfisher
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/kingfisher
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kingfisher
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true

argocd/manifests/kingfisher/cronjob.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: kingfisher
+  namespace: kingfisher
+spec:
+  schedule: "0 4 * * 0"  # Sunday 4am (after Prowler k8s scan at 3am)
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 604800  # Auto-delete after 7 days
+      template:
+        spec:
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+          containers:
+            - name: kingfisher
+              image: ghcr.io/mongodb/kingfisher:kustomized
+              command: ["/bin/sh", "-c"]
+              args:
+                - |
+                  set -e
+                  STAMP=$(date +%Y%m%d-%H%M%S)
+                  OUTDIR=/reports/kingfisher
+                  mkdir -p "$OUTDIR"
+
+                  COMMON_ARGS="scan gitea \
+                    --api-url https://forge.ops.eblu.me/api/v1/ \
+                    --all-organizations \
+                    --user eblume \
+                    --repo-type all \
+                    --no-update-check \
+                    --tls-mode lax \
+                    --allow-internal-ips"
+
+                  # HTML report for human review
+                  kingfisher $COMMON_ARGS \
+                    --format html \
+                    --output "$OUTDIR/scan-${STAMP}.html" || true
+
+                  # JSON report for machine parsing
+                  kingfisher $COMMON_ARGS \
+                    --format json \
+                    --output "$OUTDIR/scan-${STAMP}.json"
+              env:
+                - name: KF_GITEA_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: kingfisher-forgejo-token
+                      key: KF_GITEA_TOKEN
+              volumeMounts:
+                - name: reports
+                  mountPath: /reports
+              resources:
+                requests:
+                  memory: 256Mi
+                  cpu: 100m
+                limits:
+                  memory: 1Gi
+          restartPolicy: OnFailure
+          volumes:
+            - name: reports
+              persistentVolumeClaim:
+                claimName: kingfisher-reports

argocd/manifests/kingfisher/external-secret.yaml

@@ -0,0 +1,22 @@
+# ExternalSecret for Forgejo API token used by Kingfisher to enumerate repos
+#
+# 1Password item: "Forgejo Secrets" in blumeops vault
+# Field: api-token
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kingfisher-forgejo-token
+  namespace: kingfisher
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: kingfisher-forgejo-token
+    creationPolicy: Owner
+  data:
+    - secretKey: KF_GITEA_TOKEN
+      remoteRef:
+        key: Forgejo Secrets
+        property: api-token

argocd/manifests/kingfisher/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kingfisher
+
+resources:
+  - pv-nfs.yaml
+  - pvc.yaml
+  - external-secret.yaml
+  - cronjob.yaml
+
+images:
+  - name: ghcr.io/mongodb/kingfisher
+    newTag: "1.91.0"

argocd/manifests/kingfisher/pv-nfs.yaml

@@ -0,0 +1,17 @@
+# NFS PersistentVolume for Kingfisher secret scan reports
+# Reuses the same sifaka:/volume1/reports share as Prowler
+# NFS rules already configured for indri
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: kingfisher-reports-nfs-pv
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  nfs:
+    server: sifaka
+    path: /volume1/reports

argocd/manifests/kingfisher/pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: kingfisher-reports
+  namespace: kingfisher
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: ""
+  volumeName: kingfisher-reports-nfs-pv
+  resources:
+    requests:
+      storage: 1Gi

docs/changelog.d/feature-kingfisher-cronjob.feature.md

@@ -0,0 +1 @@
+Add Kingfisher secret scanner as a weekly CronJob scanning all Forgejo repos, with HTML and JSON reports written to sifaka NFS.