vault migration

apps/base/argo-mcp/argocd-mcp-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: argocd-mcp-credentials
+  namespace: argocd-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd-mcp/argocd-mcp-credentials
+  destination:
+    name: argocd-mcp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/argo-mcp/auth-oidc-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: auth-oidc
+  namespace: argocd-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd-mcp/auth-oidc
+  destination:
+    name: auth-oidc
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/argo-mcp/kustomization.yaml

@@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
-- argocdmcp-auth-oidc-sealed.yaml
-- argocd-mcp-credentials.yaml
+- vault-auth.yaml
+- auth-oidc-vault.yaml
+- argocd-mcp-credentials-vault.yaml
+# Removed: argocdmcp-auth-oidc-sealed.yaml, argocd-mcp-credentials.yaml (migrated to VSO)

apps/base/argo-mcp/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-argocd-mcp
+  namespace: argocd-mcp
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: argocd-mcp
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-argocd-mcp
+    serviceAccount: vault-auth-argocd-mcp
+    audiences:
+    - vault

apps/base/dot-ai-stack/dot-ai-secrets-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: dot-ai-secrets
+  namespace: dot-ai
+spec:
+  type: kv-v2
+  mount: kv
+  path: dot-ai/dot-ai-secrets
+  destination:
+    name: dot-ai-secrets
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/dot-ai-stack/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
-- dot-ai-secrets.yaml
+- vault-auth.yaml
+- dot-ai-secrets-vault.yaml
+# Removed: dot-ai-secrets.yaml (migrated to VSO)

apps/base/dot-ai-stack/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-dot-ai
+  namespace: dot-ai
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: dot-ai
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-dot-ai
+    serviceAccount: vault-auth-dot-ai
+    audiences:
+    - vault

apps/base/mcp10x/app-credentials-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: app-credentials
+  namespace: mcp10x
+spec:
+  type: kv-v2
+  mount: kv
+  path: mcp10x/app-credentials
+  destination:
+    name: app-credentials
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/mcp10x/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
-- forte10x-app-credentials-sealed.yaml
+- vault-auth.yaml
+- app-credentials-vault.yaml
+# Removed: forte10x-app-credentials-sealed.yaml (migrated to VSO)

apps/base/mcp10x/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-mcp10x
+  namespace: mcp10x
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: mcp10x
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-mcp10x
+    serviceAccount: vault-auth-mcp10x
+    audiences:
+    - vault

apps/base/musicman/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
-- musicman-credentials.yaml
+- vault-auth.yaml
+- musicman-credentials-vault.yaml
+# Removed: musicman-credentials.yaml (migrated to VSO)

apps/base/musicman/musicman-credentials-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: musicman-credentials
+  namespace: music-man
+spec:
+  type: kv-v2
+  mount: kv
+  path: music-man/musicman-credentials
+  destination:
+    name: musicman-credentials
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/musicman/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-music-man
+  namespace: music-man
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: music-man
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-music-man
+    serviceAccount: vault-auth-music-man
+    audiences:
+    - vault

apps/base/ts-mcp/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
-- ts-mcp-secrets-sealed.yaml
+- vault-auth.yaml
+- ts-mcp-secrets-vault.yaml
+# Removed: ts-mcp-secrets-sealed.yaml (migrated to VSO)

apps/base/ts-mcp/ts-mcp-secrets-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ts-mcp-secrets
+  namespace: ts-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: ts-mcp/ts-mcp-secrets
+  destination:
+    name: ts-mcp-secrets
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/ts-mcp/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-ts-mcp
+  namespace: ts-mcp
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: ts-mcp
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-ts-mcp
+    serviceAccount: vault-auth-ts-mcp
+    audiences:
+    - vault