blumeops/argocd/manifests/kingfisher/pvc.yaml at main - eblume/blumeops - Forgejo: Beyond coding. We Forge.

eblume/blumeops

Erich Blume 35705faca2 Add Kingfisher secret scanner CronJob (#317 )

## Summary

- Deploys MongoDB Kingfisher as a weekly CronJob on minikube-indri
- Scans all Forgejo repos (eblume + all orgs) for leaked secrets with live validation
- Produces timestamped HTML and JSON reports on sifaka NFS (`/volume1/reports/kingfisher/`)
- Forgejo API token sourced from 1Password via ExternalSecret
- Uses official `ghcr.io/mongodb/kingfisher:1.91.0` container image
- Runs Sunday 4am (after Prowler's 3am k8s scan)

## Resources

- CronJob, PV/PVC (sifaka NFS), ExternalSecret
- ArgoCD Application with manual sync + CreateNamespace

## Test plan

- [x] Sync ArgoCD `apps` app to pick up new kingfisher Application
- [x] Set `--revision feature/kingfisher-cronjob` on kingfisher app
- [x] Verify ExternalSecret creates the `kingfisher-forgejo-token` Secret
- [x] Trigger manual job: `kubectl create job --from=cronjob/kingfisher kingfisher-manual -n kingfisher --context=minikube-indri`
- [ ] Verify reports appear on sifaka at `/volume1/reports/kingfisher/`
- [ ] After merge: set `--revision main` and re-sync

Reviewed-on: #317

2026-03-28 21:39:55 -07:00

13 lines

254 B

YAML

Raw Permalink Blame History

 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: kingfisher-reports
   namespace: kingfisher
 spec:
   accessModes:
     - ReadWriteMany
   storageClassName: ""
   volumeName: kingfisher-reports-nfs-pv
   resources:
     requests:
       storage: 1Gi