sbbb/base/devtools/vault-secrets.yaml

---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: devtools
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
# Gitea DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: gitea-db-credentials
  namespace: devtools
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/gitea
  allowStaticCreds: true
  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: StatefulSet
      name: gitea
  destination:
    name: gitea-db-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        password:
          text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: gitea-s3-credentials
  namespace: devtools
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: seaweedfs
  refreshAfter: 30s
  destination:
    name: gitea-s3-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        "access-key":
          text: "{{ index .Secrets \"access-key\" }}"
        "secret-key":
          text: "{{ index .Secrets \"secret-key\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: gitea-admin-credentials
  namespace: devtools
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: gitea
  refreshAfter: 30s
  destination:
    name: gitea-admin-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        username:
          text: "{{ index .Secrets \"admin-username\" }}"
        password:
          text: "{{ index .Secrets \"admin-password\" }}"