From f670536eeb91ee5143a9edd8b92ecbfa260ec0a7 Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Sat, 17 May 2025 23:12:42 +0200
Subject: [PATCH] move ovh cert-manager secret to vault

---
 infra/configs/ovh-cert-manager-secret.yaml | 38 ++++++++++++++++++++++
 infra/kustomization.yaml                   |  1 +
 vault/kubernetes-roles/cert-manager.yaml   |  6 ++++
 vault/policy/ovh-credentials.hcl           |  3 ++
 4 files changed, 48 insertions(+)
 create mode 100644 infra/configs/ovh-cert-manager-secret.yaml
 create mode 100644 vault/kubernetes-roles/cert-manager.yaml
 create mode 100644 vault/policy/ovh-credentials.hcl

diff --git a/infra/configs/ovh-cert-manager-secret.yaml b/infra/configs/ovh-cert-manager-secret.yaml
new file mode 100644
index 0000000..1338f17
--- /dev/null
+++ b/infra/configs/ovh-cert-manager-secret.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ovh-credentials
+  namespace: cert-manager
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: cert-manager
+    serviceAccount: ovh-credentials
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: webhook-ovh-credentials
+  namespace: cert-manager
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: ovh-cert-manager
+
+  destination:
+    create: true
+    name: ovh-credentials
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: cert-manager
diff --git a/infra/kustomization.yaml b/infra/kustomization.yaml
index b4219cf..7dbe158 100644
--- a/infra/kustomization.yaml
+++ b/infra/kustomization.yaml
@@ -20,3 +20,4 @@ resources:
   - configs/single-hdd-sc.yaml
   - configs/mayastor-snapshotclass.yaml
   - configs/openbao-cert.yaml
+  - configs/ovh-cert-manager-secret.yaml
diff --git a/vault/kubernetes-roles/cert-manager.yaml b/vault/kubernetes-roles/cert-manager.yaml
new file mode 100644
index 0000000..4380735
--- /dev/null
+++ b/vault/kubernetes-roles/cert-manager.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - ovh-credentials
+bound_service_account_namespaces:
+  - cert-manager
+token_policies:
+  - ovh-credentials
diff --git a/vault/policy/ovh-credentials.hcl b/vault/policy/ovh-credentials.hcl
new file mode 100644
index 0000000..5424d16
--- /dev/null
+++ b/vault/policy/ovh-credentials.hcl
@@ -0,0 +1,3 @@
+path "secret/data/ovh-cert-manager" {
+    capabilities = ["read"]
+}
\ No newline at end of file