viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix(renew-tls): use alpine+curl for kubectl step to avoid permission denied

Browse source 
bitnami/kubectl runs as non-root UID 1001, cannot read git-crypt
decrypted secrets owned by root. Switch to alpine (runs as root)
with kubectl downloaded directly.
This commit is contained in:
Viktor Barzin 2026-03-23 22:28:37 +02:00
parent b5dd43aeab
commit b7409cea4e
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.woodpecker/renew-tls.yml
View file

@ -52,8 +52,10 @@ steps:
- "echo 'Certificate is valid for at least 7 more days'" - "echo 'Certificate is valid for at least 7 more days'"
- name: update-tls-source-secret - name: update-tls-source-secret
image: bitnami/kubectl:latest image: alpine
commands: commands:
- "apk update && apk add curl"
- "curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/"
- | - |
kubectl create secret tls tls-secret \ kubectl create secret tls tls-secret \
--cert=secrets/fullchain.pem --key=secrets/privkey.pem \ --cert=secrets/fullchain.pem --key=secrets/privkey.pem \