4 changed files with 48 additions and 0 deletions
--- a/infra/configs/ovh-cert-manager-secret.yaml
+++ b/infra/configs/ovh-cert-manager-secret.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ovh-credentials
+  namespace: cert-manager
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: cert-manager
+    serviceAccount: ovh-credentials
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: webhook-ovh-credentials
+  namespace: cert-manager
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: ovh-cert-manager
+
+  destination:
+    create: true
+    name: ovh-credentials
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: cert-manager
--- a/infra/kustomization.yaml
+++ b/infra/kustomization.yaml
@@ -20,3 +20,4 @@ resources:
  - configs/single-hdd-sc.yaml
  - configs/mayastor-snapshotclass.yaml
  - configs/openbao-cert.yaml
+  - configs/ovh-cert-manager-secret.yaml
--- a/vault/kubernetes-roles/cert-manager.yaml
+++ b/vault/kubernetes-roles/cert-manager.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - ovh-credentials
+bound_service_account_namespaces:
+  - cert-manager
+token_policies:
+  - ovh-credentials
--- a/vault/policy/ovh-credentials.hcl
+++ b/vault/policy/ovh-credentials.hcl
@@ -0,0 +1,3 @@
+path "secret/data/ovh-cert-manager" {
+    capabilities = ["read"]
+}