eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Build custom Kingfisher container from sporked deploy branch (#318)
All checks were successful
Build Container / detect (push) Successful in 2s
Details
Build Container / build-nix (kingfisher) (push) Successful in 12s
Details

Browse source 
## Summary

- Add Dockerfile for Kingfisher built from source (sporked deploy branch)
- Multi-stage: Rust build with Boost/vectorscan, debian-slim runtime
- Switch CronJob from upstream `ghcr.io/mongodb/kingfisher` to `registry.ops.eblu.me/blumeops/kingfisher`
- Add kingfisher to service-versions.yaml (version tracks upstream main SHA)
- Document spork workflow in CLAUDE.md

## Test plan

- [ ] Build container: `mise run container-build-and-release kingfisher 1d37d29`
- [ ] Verify image on registry: `mise run container-list`
- [ ] Update kustomization newTag
- [ ] Sync ArgoCD kingfisher app from branch
- [ ] Trigger manual CronJob and verify scan completes
- [ ] Verify reports on sifaka

Reviewed-on: #318
This commit is contained in:
Erich Blume 2026-03-30 06:34:49 -07:00
commit f9206bf10b
12 changed files with 10247 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
argocd/manifests/kingfisher/cronjob.yaml
View file

@ -17,7 +17,7 @@ spec:
type: RuntimeDefault
containers:
- name: kingfisher
image: ghcr.io/mongodb/kingfisher:kustomized
image: registry.ops.eblu.me/blumeops/kingfisher:kustomized
command: ["/bin/sh", "-c"]
args:
- |
@ -28,7 +28,9 @@ spec:
kingfisher scan gitea \
--api-url https://forge.ops.eblu.me/api/v1/ \
--clone-url-base https://forge.ops.eblu.me/ \
--user eblume \
--all-organizations \
--repo-type all \
--no-update-check \
--tls-mode lax \

4
argocd/manifests/kingfisher/kustomization.yaml
View file

@ -11,5 +11,5 @@ resources:
- cronjob.yaml
images:
- name: ghcr.io/mongodb/kingfisher
newTag: "1.91.0"
- name: registry.ops.eblu.me/blumeops/kingfisher
newTag: v165768b-5cd32f8-nix

1
argocd/manifests/kingfisher/pv-nfs.yaml
View file

@ -1,6 +1,5 @@
# NFS PersistentVolume for Kingfisher secret scan reports
# Reuses the same sifaka:/volume1/reports share as Prowler
# NFS rules already configured for indri
apiVersion: v1
kind: PersistentVolume
metadata: