From 18dab12b9992f2bb80b6b26d86ca54e78aca5248 Mon Sep 17 00:00:00 2001
From: Denis Patrakeev <denis.patrakeev@avroid.team>
Date: Fri, 28 Feb 2025 11:37:17 +0300
Subject: [PATCH] [DO-1600] Test bank vault (!65)

[DO-1600]

Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/65
---
 .../values-ovveride.yaml                      | 26 +++++++++++++++----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
index 73d2ed3..5ab74ca 100644
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
@@ -34,6 +34,13 @@ resources:
 nodeSelector:
   node-role.kubernetes.io/worker: ""
 
+## @param podAnnotations Pod annotations.
+podAnnotations:
+  vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
+  vault.security.banzaicloud.io/vault-role: "avroid-staging"
+  vault.security.banzaicloud.io/vault-skip-verify: "false"
+  vault.security.banzaicloud.io/vault-path: "avroid-office"
+
 ## @section App parameters
 
 app:
@@ -52,7 +59,7 @@ app:
       ## User needs "Read project" permissions with access to "Pull Requests"
       ## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
       token:
-        value: "$gitea_sonarqube_bot_staging_gitea_token_value"
+        value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.token.value}"
         # # or path to file containing the plain text secret
         # file: /bot/secrets/gitea/user-token
 
@@ -63,7 +70,7 @@ app:
       ## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
       ## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
       webhook:
-        secret: "$gitea_sonarqube_bot_staging_gitea_webhook_secret"
+        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.webhook.secret}"
         # # or path to file containing the plain text secret
         # secretFile: /bot/secrets/gitea/webhook-secret
 
@@ -76,7 +83,7 @@ app:
       ## User needs "Browse on project" permissions
       ## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
       token:
-        value: "$gitea_sonarqube_bot_staging_sonarqube_token_value"
+        value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.token.value}"
         # # or path to file containing the plain text secret
         # file: /bot/secrets/sonarqube/user-token
 
@@ -88,7 +95,7 @@ app:
       ## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
       ## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
       webhook:
-        secret: "$gitea_sonarqube_bot_staging_sonarqube_webhook_secret"
+        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.webhook.secret}"
         # # or path to file containing the plain text secret
         # secretFile: /bot/secrets/sonarqube/webhook-secret
 
@@ -116,7 +123,16 @@ app:
 
     bitbucket:
       webhook:
-        secret: "$gitea_sonarqube_bot_staging_bitbucket_webhook_secret"
+        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"
+
+
+## @section Security parameters
+
+serviceAccount:
+  ## @param serviceAccount.create Specifies whether a service account should be created
+  create: false
+  ## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
+  name: "vault"
 
 ## ref: https://kubernetes.io/docs/user-guide/ingress/
 ingress: