apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-admin-secret namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-admin-secret app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: username remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/auth/admin metadataPolicy: None property: username - secretKey: password remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/auth/admin metadataPolicy: None property: password --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-oidc-secret namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-oidc-secret app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: secret remoteRef: conversionStrategy: Default decodingStrategy: None key: /authentik/oidc/gitea metadataPolicy: None property: secret - secretKey: key remoteRef: conversionStrategy: Default decodingStrategy: None key: /authentik/oidc/gitea metadataPolicy: None property: client --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-runner-secret namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-runner-secret app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: token remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/runner metadataPolicy: None property: token --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-renovate-secret namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-renovate-secret app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: RENOVATE_ENDPOINT remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/renovate metadataPolicy: None property: RENOVATE_ENDPOINT - secretKey: RENOVATE_GIT_AUTHOR remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/renovate metadataPolicy: None property: RENOVATE_GIT_AUTHOR - secretKey: RENOVATE_TOKEN remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/renovate metadataPolicy: None property: RENOVATE_TOKEN - secretKey: RENOVATE_GIT_PRIVATE_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/renovate metadataPolicy: None property: id_rsa - secretKey: RENOVATE_GITHUB_COM_TOKEN remoteRef: conversionStrategy: Default decodingStrategy: None key: /github/gitea-cl01tl metadataPolicy: None property: token --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-renovate-ssh-secret namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-renovate-ssh-secret app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: config remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/renovate metadataPolicy: None property: ssh_config - secretKey: id_rsa remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/renovate metadataPolicy: None property: id_rsa - secretKey: id_rsa.pub remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/renovate metadataPolicy: None property: id_rsa.pub --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-s3cmd-config namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-s3cmd-config app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: .s3cfg remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/gitea-backup metadataPolicy: None property: s3cfg - secretKey: BUCKET remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/gitea-backup metadataPolicy: None property: BUCKET --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-meilisearch-master-key-secret namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-meilisearch-master-key-secret app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault target: template: mergePolicy: Merge engineVersion: v2 data: ISSUE_INDEXER_CONN_STR: "http://:{{ `{{ .MEILI_MASTER_KEY }}` }}@gitea-meilisearch.gitea:7700/" data: - secretKey: MEILI_MASTER_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/gitea/meilisearch metadataPolicy: None property: MEILI_MASTER_KEY --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-cloudflared-secret namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-cloudflared-secret app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: cf-tunnel-token remoteRef: conversionStrategy: Default decodingStrategy: None key: /cloudflare/tunnels/gitea metadataPolicy: None property: token --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: gitea-postgresql-17-cluster-backup-secret namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: ACCESS_KEY_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/postgres-backups metadataPolicy: None property: access - secretKey: ACCESS_SECRET_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/postgres-backups metadataPolicy: None property: secret