Erich Blume
35705faca2
## Summary - Deploys MongoDB Kingfisher as a weekly CronJob on minikube-indri - Scans all Forgejo repos (eblume + all orgs) for leaked secrets with live validation - Produces timestamped HTML and JSON reports on sifaka NFS (`/volume1/reports/kingfisher/`) - Forgejo API token sourced from 1Password via ExternalSecret - Uses official `ghcr.io/mongodb/kingfisher:1.91.0` container image - Runs Sunday 4am (after Prowler's 3am k8s scan) ## Resources - CronJob, PV/PVC (sifaka NFS), ExternalSecret - ArgoCD Application with manual sync + CreateNamespace ## Test plan - [x] Sync ArgoCD `apps` app to pick up new kingfisher Application - [x] Set `--revision feature/kingfisher-cronjob` on kingfisher app - [x] Verify ExternalSecret creates the `kingfisher-forgejo-token` Secret - [x] Trigger manual job: `kubectl create job --from=cronjob/kingfisher kingfisher-manual -n kingfisher --context=minikube-indri` - [ ] Verify reports appear on sifaka at `/volume1/reports/kingfisher/` - [ ] After merge: set `--revision main` and re-sync Reviewed-on: #317
22 lines
566 B
YAML
22 lines
566 B
YAML
# ExternalSecret for Forgejo API token used by Kingfisher to enumerate repos
|
|
#
|
|
# 1Password item: "Forgejo Secrets" in blumeops vault
|
|
# Field: api-token
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: kingfisher-forgejo-token
|
|
namespace: kingfisher
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-blumeops
|
|
target:
|
|
name: kingfisher-forgejo-token
|
|
creationPolicy: Owner
|
|
data:
|
|
- secretKey: KF_GITEA_TOKEN
|
|
remoteRef:
|
|
key: Forgejo Secrets
|
|
property: api-token
|