move renovate gitea token to vault

apps/renovate/cronjob.yaml

@@ -18,7 +18,7 @@ spec:
               image: renovate/renovate:40.11.6-full
               envFrom:
                 - secretRef:
-                    name: renovate-env
+                    name: renovate-gitea-token
                 - configMapRef:
                     name: renovate-config
           restartPolicy: Never

apps/renovate/kustomization.yaml

@@ -3,4 +3,5 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - configmap.yaml
+  - secret.yaml
   - cronjob.yaml

apps/renovate/secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: renovate
+  namespace: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: renovate
+  namespace: renovate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: renovate
+    serviceAccount: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: renovate-gitea-token
+  namespace: renovate
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: renovate
+
+  destination:
+    create: true
+    name: renovate-gitea-token
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: renovate