Scope Kingfisher scan to eblume user only

Mirror repos clone via forge.eblu.me (Fly.io roundtrip) instead of forge.ops.eblu.me (direct tailnet). Until we add a clone URL rewrite option, skip mirrors to avoid unnecessary external bandwidth. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Kingfisher secret scanner CronJob
2026-03-28 21:32:45 -07:00 · 2026-03-28 21:12:12 -07:00
7 changed files with 150 additions and 0 deletions
--- a/argocd/apps/kingfisher.yaml
+++ b/argocd/apps/kingfisher.yaml
@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kingfisher
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/kingfisher
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kingfisher
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/manifests/kingfisher/cronjob.yaml
+++ b/argocd/manifests/kingfisher/cronjob.yaml
@ -0,0 +1,65 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: kingfisher
+  namespace: kingfisher
+spec:
+  schedule: "0 4 * * 0"  # Sunday 4am (after Prowler k8s scan at 3am)
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 604800  # Auto-delete after 7 days
+      template:
+        spec:
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+          containers:
+            - name: kingfisher
+              image: ghcr.io/mongodb/kingfisher:kustomized
+              command: ["/bin/sh", "-c"]
+              args:
+                - |
+                  set -e
+                  STAMP=$(date +%Y%m%d-%H%M%S)
+                  OUTDIR=/reports/kingfisher
+                  mkdir -p "$OUTDIR"
+
+                  COMMON_ARGS="scan gitea \
+                    --api-url https://forge.ops.eblu.me/api/v1/ \
+                    --user eblume \
+                    --repo-type all \
+                    --no-update-check \
+                    --tls-mode lax \
+                    --allow-internal-ips"
+
+                  # HTML report for human review
+                  kingfisher $COMMON_ARGS \
+                    --format html \
+                    --output "$OUTDIR/scan-${STAMP}.html" || true
+
+                  # JSON report for machine parsing
+                  kingfisher $COMMON_ARGS \
+                    --format json \
+                    --output "$OUTDIR/scan-${STAMP}.json"
+              env:
+                - name: KF_GITEA_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: kingfisher-forgejo-token
+                      key: KF_GITEA_TOKEN
+              volumeMounts:
+                - name: reports
+                  mountPath: /reports
+              resources:
+                requests:
+                  memory: 256Mi
+                  cpu: 100m
+                limits:
+                  memory: 1Gi
+          restartPolicy: OnFailure
+          volumes:
+            - name: reports
+              persistentVolumeClaim:
+                claimName: kingfisher-reports
--- a/argocd/manifests/kingfisher/external-secret.yaml
+++ b/argocd/manifests/kingfisher/external-secret.yaml
@ -0,0 +1,22 @@
+# ExternalSecret for Forgejo API token used by Kingfisher to enumerate repos
+#
+# 1Password item: "Forgejo Secrets" in blumeops vault
+# Field: api-token
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kingfisher-forgejo-token
+  namespace: kingfisher
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: kingfisher-forgejo-token
+    creationPolicy: Owner
+  data:
+    - secretKey: KF_GITEA_TOKEN
+      remoteRef:
+        key: Forgejo Secrets
+        property: api-token
--- a/argocd/manifests/kingfisher/kustomization.yaml
+++ b/argocd/manifests/kingfisher/kustomization.yaml
@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kingfisher
+
+resources:
+  - pv-nfs.yaml
+  - pvc.yaml
+  - external-secret.yaml
+  - cronjob.yaml
+
+images:
+  - name: ghcr.io/mongodb/kingfisher
+    newTag: "1.91.0"
--- a/argocd/manifests/kingfisher/pv-nfs.yaml
+++ b/argocd/manifests/kingfisher/pv-nfs.yaml
@ -0,0 +1,17 @@
+# NFS PersistentVolume for Kingfisher secret scan reports
+# Reuses the same sifaka:/volume1/reports share as Prowler
+# NFS rules already configured for indri
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: kingfisher-reports-nfs-pv
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  nfs:
+    server: sifaka
+    path: /volume1/reports
--- a/argocd/manifests/kingfisher/pvc.yaml
+++ b/argocd/manifests/kingfisher/pvc.yaml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: kingfisher-reports
+  namespace: kingfisher
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: ""
+  volumeName: kingfisher-reports-nfs-pv
+  resources:
+    requests:
+      storage: 1Gi
--- a/docs/changelog.d/feature-kingfisher-cronjob.feature.md
+++ b/docs/changelog.d/feature-kingfisher-cronjob.feature.md
@ -0,0 +1 @@
+Add Kingfisher secret scanner as a weekly CronJob scanning all Forgejo repos, with HTML and JSON reports written to sifaka NFS.
				`@ -0,0 +1 @@`
				`Add Kingfisher secret scanner as a weekly CronJob scanning all Forgejo repos, with HTML and JSON reports written to sifaka NFS.`