Encrypt k8s secrets with Forgejo action key

Allow mounting all volumes in Forgejo actions
2024-05-01 23:38:45 +02:00 · 2024-05-01 23:38:45 +02:00 · a7d403eb5b
commit a7d403eb5b
parent 4b6a072a5c
2 changed files with 15 additions and 6 deletions
--- a/kubenix-modules/forgejo/runner-config.nix
+++ b/kubenix-modules/forgejo/runner-config.nix
@ -27,7 +27,7 @@
    privileged = false;
    options = "";
    workdir_parent = "";
-    valid_volumes = [ "/var/run/secrets/kubernetes.io/serviceaccount" ];
+    valid_volumes = [ "**" ];
    docker_host = "";
    force_pull = false;
  };
--- a/secrets/sops.yaml
+++ b/secrets/sops.yaml
@ -29,11 +29,20 @@ sops:
        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsM0xTM1pFNDMwYW1FSDRB
-            SGk3dXl6RzVPVXF5N2NYSWxYVXpTYm1UUUZNCkkwOEJZbnVTanRRSXFWWXpJQ0lK
-            T0Z6QnMyZUl1WGEwaEsrbitUUFNoa2MKLS0tIHArQkIrRWlWcU9yUFVaa3pJMDlo
-            dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin
-            EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZ3JkeG5KMkI3THREM2Qy
+            UithR0hPQ1pXU003S1ozaGlJUXVmM1hBdVdJCmZYZ3cveFJkNkEzUTZvOWNIS2Rk
+            b1hNdjd0eVA3SlEyZnBObS9lWnMyOVEKLS0tIFJuL1k2UmJxakU2Q0JnNHc2Tkdn
+            T2hCN1VrVjFBaW5XNlVoNnA4QUE5VUEKL4ieqdtq0oDPmPYvQJUZFjeE9XPo4+o+
+            dsalIMaKZTeUK7xPixF4ZNxhxJwDMx21WjdinOJFaFzJOOfXlAQnxw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1x7wv7s2z2cxcvys223rzkzrx33l85rg6jy4klr07atf5r3d8yp3qrwg4lx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcU1kSFZUWEthMEVYbXBZ
+            TUtHdEhpdkRJaUtoaTdxQnRqTXVWdkNuM2s0CjVwNWoyNmdWL1kwcDFhVElBMElN
+            c2dUMWFYeTVaNzBmZGJ3NzNrWXJuaHMKLS0tIFo0Qlg3RkYydURrOXRrdzZXeFlQ
+            Z2w4d09qV29XSWNNZW9Od2taNm9Td0kKdWFS8lA4mS85XWbaf4WqRzakHVJ/AMXl
+            zK7C4DRLLOrLtPilmH5rpu2luC8BE0enxX8ZqF8GJt+Uo3sPfBlpEg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-05-01T21:17:22Z"
    mac: ENC[AES256_GCM,data:Z854yGCEukya2IxAiNp/vmOpf+MqY6Pfvk2uhhH6UPoijvt7gU/AacmieKXNc+lErqh9mxwBoEoY/SwTYymqEsjm3vAWn9mrgvs6dfaTYuyFPg0ZrnV2pT5GiCLbmPhBKw/Fx53MLmB2CcYvYtJkoZk0+pSBOKpI+Mzr1tUOn98=,iv:3wZVY4KjXriFcpCAzjRZsVo/X7gi6WLVRzalKcA41Nk=,tag:evss+EvaaMpj3LyJCNOTZw==,type:str]