From 42ba33a59f31666beefd3258d2455cd717227304 Mon Sep 17 00:00:00 2001
From: Denis Patrakeev <denis.patrakeev@avroid.team>
Date: Wed, 26 Feb 2025 20:37:25 +0300
Subject: [PATCH] [DO-1600] Change use Bank Vault by custom secret (!63)

[DO-1600]

Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/63
---
 ...narqube-bot-staging-secret-from-vault.yaml | 20 +++++++++++++++
 .../values-ovveride.yaml                      | 25 ++++---------------
 2 files changed, 25 insertions(+), 20 deletions(-)
 create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml

diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml
new file mode 100644
index 0000000..304a9c6
--- /dev/null
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: argocd
+  name: gitea-sonarqube-bot-staging-secret-from-vault
+  namespace: avroid-staging
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
+    vault.security.banzaicloud.io/vault-role: "avroid-staging"
+    vault.security.banzaicloud.io/vault-skip-verify: "false"
+    vault.security.banzaicloud.io/vault-path: "avroid-office"
+type: Opaque
+data:
+  gitea_sonarqube_bot_staging_gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
+  gitea_sonarqube_bot_staging_gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
+  gitea_sonarqube_bot_staging_sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
+  gitea_sonarqube_bot_staging_sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
+  gitea_sonarqube_bot_staging_bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0
diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
index 9df9d28..73d2ed3 100644
--- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
@@ -34,13 +34,6 @@ resources:
 nodeSelector:
   node-role.kubernetes.io/worker: ""
 
-## @param podAnnotations Pod annotations.
-podAnnotations:
-  vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
-  vault.security.banzaicloud.io/vault-role: "avroid-staging"
-  vault.security.banzaicloud.io/vault-skip-verify: "false"
-  vault.security.banzaicloud.io/vault-path: "avroid-office"
-
 ## @section App parameters
 
 app:
@@ -59,7 +52,7 @@ app:
       ## User needs "Read project" permissions with access to "Pull Requests"
       ## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
       token:
-        value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.token.value}"
+        value: "$gitea_sonarqube_bot_staging_gitea_token_value"
         # # or path to file containing the plain text secret
         # file: /bot/secrets/gitea/user-token
 
@@ -70,7 +63,7 @@ app:
       ## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
       ## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
       webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.webhook.secret}"
+        secret: "$gitea_sonarqube_bot_staging_gitea_webhook_secret"
         # # or path to file containing the plain text secret
         # secretFile: /bot/secrets/gitea/webhook-secret
 
@@ -83,7 +76,7 @@ app:
       ## User needs "Browse on project" permissions
       ## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
       token:
-        value: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.token.value}"
+        value: "$gitea_sonarqube_bot_staging_sonarqube_token_value"
         # # or path to file containing the plain text secret
         # file: /bot/secrets/sonarqube/user-token
 
@@ -95,7 +88,7 @@ app:
       ## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
       ## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
       webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.webhook.secret}"
+        secret: "$gitea_sonarqube_bot_staging_sonarqube_webhook_secret"
         # # or path to file containing the plain text secret
         # secretFile: /bot/secrets/sonarqube/webhook-secret
 
@@ -123,15 +116,7 @@ app:
 
     bitbucket:
       webhook:
-        secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"
-
-## @section Security parameters
-
-serviceAccount:
-  ## @param serviceAccount.create Specifies whether a service account should be created
-  create: false
-  ## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
-  name: "vault"
+        secret: "$gitea_sonarqube_bot_staging_bitbucket_webhook_secret"
 
 ## ref: https://kubernetes.io/docs/user-guide/ingress/
 ingress: