eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Kingfisher secret scanner CronJob #317

Merged
eblume merged 2 commits from feature/kingfisher-cronjob into main 2026-03-28 21:39:56 -07:00
Conversation 0 Commits 2 Files changed 7 +150
eblume commented 2026-03-28 21:12:58 -07:00
Owner
Copy link

Summary

  • Deploys MongoDB Kingfisher as a weekly CronJob on minikube-indri
  • Scans all Forgejo repos (eblume + all orgs) for leaked secrets with live validation
  • Produces timestamped HTML and JSON reports on sifaka NFS (/volume1/reports/kingfisher/)
  • Forgejo API token sourced from 1Password via ExternalSecret
  • Uses official ghcr.io/mongodb/kingfisher:1.91.0 container image
  • Runs Sunday 4am (after Prowler's 3am k8s scan)

Resources

  • CronJob, PV/PVC (sifaka NFS), ExternalSecret
  • ArgoCD Application with manual sync + CreateNamespace

Test plan

  • Sync ArgoCD apps app to pick up new kingfisher Application
  • Set --revision feature/kingfisher-cronjob on kingfisher app
  • Verify ExternalSecret creates the kingfisher-forgejo-token Secret
  • Trigger manual job: kubectl create job --from=cronjob/kingfisher kingfisher-manual -n kingfisher --context=minikube-indri
  • Verify reports appear on sifaka at /volume1/reports/kingfisher/
  • After merge: set --revision main and re-sync
## Summary - Deploys MongoDB Kingfisher as a weekly CronJob on minikube-indri - Scans all Forgejo repos (eblume + all orgs) for leaked secrets with live validation - Produces timestamped HTML and JSON reports on sifaka NFS (`/volume1/reports/kingfisher/`) - Forgejo API token sourced from 1Password via ExternalSecret - Uses official `ghcr.io/mongodb/kingfisher:1.91.0` container image - Runs Sunday 4am (after Prowler's 3am k8s scan) ## Resources - CronJob, PV/PVC (sifaka NFS), ExternalSecret - ArgoCD Application with manual sync + CreateNamespace ## Test plan - [x] Sync ArgoCD `apps` app to pick up new kingfisher Application - [x] Set `--revision feature/kingfisher-cronjob` on kingfisher app - [x] Verify ExternalSecret creates the `kingfisher-forgejo-token` Secret - [x] Trigger manual job: `kubectl create job --from=cronjob/kingfisher kingfisher-manual -n kingfisher --context=minikube-indri` - [x] Verify reports appear on sifaka at `/volume1/reports/kingfisher/` - [ ] After merge: set `--revision main` and re-sync
Weekly scan of all Forgejo repos (Sunday 4am) using MongoDB's
Kingfisher tool. Produces HTML and JSON reports on sifaka NFS.
Uses official container image with Forgejo API token via
ExternalSecret from 1Password.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mirror repos clone via forge.eblu.me (Fly.io roundtrip) instead of
forge.ops.eblu.me (direct tailnet). Until we add a clone URL rewrite
option, skip mirrors to avoid unnecessary external bandwidth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
eblume merged commit 35705faca2 into main 2026-03-28 21:39:56 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!317
No description provided.