apiVersion: batch/v1 kind: CronJob metadata: name: forgejo-secret-sync spec: schedule: "0 0 * * *" jobTemplate: spec: template: spec: containers: - name: secret-sync image: library/python:3 command: - bash - -c - pip install requests && python /code/forgejo-secret-sync.py env: - name: REPO_MAPPINGS value: | [ {"k8s_name": "infra-deployer", "owner": "JankySolutions", "repo": "infra"}, {"k8s_name": "matrix-bridge-meshtastic-deployer", "owner": "finn", "repo": "matrix-bridge-meshtastic"} ] envFrom: - secretRef: name: forgejo-secret-sync volumeMounts: - name: code mountPath: /code - name: host-tls mountPath: /var/lib/rancher/k3s/server/tls restartPolicy: OnFailure affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-role.kubernetes.io/control-plane operator: In values: ["true"] volumes: - name: code configMap: name: forgejo-secret-sync - name: host-tls hostPath: path: /var/lib/rancher/k3s/server/tls --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: forgejo-secret-sync spec: secretStoreRef: kind: SecretStore name: openbao target: name: forgejo-secret-sync creationPolicy: Owner dataFrom: - extract: key: forgejo/default/secret-sync