From af29de91d61bc0bf9a614cd0c2cfe808b5a12d15 Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Sat, 17 May 2025 22:51:15 +0200
Subject: [PATCH] move renovate gitea token to vault

---
 apps/renovate/cronjob.yaml           |  2 +-
 apps/renovate/kustomization.yaml     |  1 +
 apps/renovate/secret.yaml            | 38 ++++++++++++++++++++++++++++
 vault/kubernetes-roles/renovate.yaml |  6 +++++
 vault/policy/renovate.hcl            |  3 +++
 5 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 apps/renovate/secret.yaml
 create mode 100644 vault/kubernetes-roles/renovate.yaml
 create mode 100644 vault/policy/renovate.hcl

diff --git a/apps/renovate/cronjob.yaml b/apps/renovate/cronjob.yaml
index b163881..ca346d9 100644
--- a/apps/renovate/cronjob.yaml
+++ b/apps/renovate/cronjob.yaml
@@ -18,7 +18,7 @@ spec:
               image: renovate/renovate:40.11.6-full
               envFrom:
                 - secretRef:
-                    name: renovate-env
+                    name: renovate-gitea-token
                 - configMapRef:
                     name: renovate-config
           restartPolicy: Never
diff --git a/apps/renovate/kustomization.yaml b/apps/renovate/kustomization.yaml
index e63930f..d9465a6 100644
--- a/apps/renovate/kustomization.yaml
+++ b/apps/renovate/kustomization.yaml
@@ -3,4 +3,5 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - configmap.yaml
+  - secret.yaml
   - cronjob.yaml
diff --git a/apps/renovate/secret.yaml b/apps/renovate/secret.yaml
new file mode 100644
index 0000000..aeb4e7f
--- /dev/null
+++ b/apps/renovate/secret.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: renovate
+  namespace: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: renovate
+  namespace: renovate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: renovate
+    serviceAccount: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: renovate-gitea-token
+  namespace: renovate
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: renovate
+
+  destination:
+    create: true
+    name: renovate-gitea-token
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: renovate
diff --git a/vault/kubernetes-roles/renovate.yaml b/vault/kubernetes-roles/renovate.yaml
new file mode 100644
index 0000000..f8cb9bc
--- /dev/null
+++ b/vault/kubernetes-roles/renovate.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - renovate
+bound_service_account_namespaces:
+  - renovate
+token_policies:
+  - renovate
diff --git a/vault/policy/renovate.hcl b/vault/policy/renovate.hcl
new file mode 100644
index 0000000..01c980a
--- /dev/null
+++ b/vault/policy/renovate.hcl
@@ -0,0 +1,3 @@
+path "secret/data/renovate" {
+    capabilities = ["read"]
+}