---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: woodpecker-secret
  namespace: woodpecker
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: woodpecker
  namespace: woodpecker
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: woodpecker
    serviceAccount: woodpecker-secret
---
# Main woodpecker secrets from Vault
# Requires vault kv put secret/woodpecker \
#   WOODPECKER_AGENT_SECRET="$(openssl rand -hex 32)" \
#   WOODPECKER_GITEA_CLIENT="<gitea-oauth-client>" \
#   WOODPECKER_GITEA_SECRET="<gitea-oauth-secret>"
# Note: Database password comes from CNPG secret (woodpecker-postgresql-cluster-app)
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: woodpecker-secrets
  namespace: woodpecker
spec:
  type: kv-v2
  mount: secret
  path: woodpecker
  destination:
    create: true
    name: woodpecker-secrets
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: woodpecker
---
# Container registry credentials for Kaniko
# Requires vault kv put secret/container-registry \
#   REGISTRY_USERNAME="<username>" \
#   REGISTRY_PASSWORD="<token>"
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: container-registry
  namespace: woodpecker
spec:
  type: kv-v2
  mount: secret
  path: container-registry
  destination:
    create: true
    name: container-registry
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: woodpecker