vault migration

infra/base/gitea/gitea-backup-s3-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-s3
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-backup-s3
+  destination:
+    name: gitea-backup-s3
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-credentials
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-credentials
+  destination:
+    name: gitea-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-runner-token-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-runner-token
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-runner-token
+  destination:
+    name: gitea-runner-token
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-smtp-secret-vault.yaml

@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-smtp-secret
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-smtp-secret
+  destination:
+    name: gitea-smtp-secret
+    create: true
+    type: Opaque
+    labels:
+      allowedToBeCloned: "true"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/kustomization.yaml

@@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
-- gitea-backup-s3-sealed.yaml
-- gitea-credentials-sealed.yaml
-- gitea-runner-token-sealed.yaml
-- gitea-smtp-secret-sealed.yaml
+- vault-auth.yaml
+- gitea-credentials-vault.yaml
+- gitea-backup-s3-vault.yaml
+- gitea-smtp-secret-vault.yaml
+- gitea-runner-token-vault.yaml
+# Removed: gitea-*-sealed.yaml (migrated to VSO)

infra/base/gitea/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-gitea
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-gitea
+    serviceAccount: vault-auth-gitea
+    audiences:
+    - vault

infra/base/homepage/homepage-widget-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: homepage-widget-credentials
+  namespace: homepage
+spec:
+  type: kv-v2
+  mount: kv
+  path: homepage/homepage-widget-credentials
+  destination:
+    name: homepage-widget-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/homepage/kustomization.yaml

@@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - homepage.yaml
-- homepage-widget-credentials-sealed.yaml
+- vault-auth.yaml
+- homepage-widget-credentials-vault.yaml
 - homepage-extra-rbac.yaml
+# Removed: homepage-widget-credentials-sealed.yaml (migrated to VSO)

infra/base/homepage/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-homepage
+  namespace: homepage
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: homepage
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-homepage
+    serviceAccount: vault-auth-homepage
+    audiences:
+    - vault

infra/base/keycloak/keycloak-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: keycloak-credentials
+  namespace: keycloak
+spec:
+  type: kv-v2
+  mount: kv
+  path: keycloak/keycloak-credentials
+  destination:
+    name: keycloak-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/keycloak/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - keycloak.yaml
-- keycloak-credentials-sealed.yaml
+- vault-auth.yaml
+- keycloak-credentials-vault.yaml
+# Removed: keycloak-credentials-sealed.yaml (migrated to VSO)

infra/base/keycloak/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-keycloak
+  namespace: keycloak
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: keycloak
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-keycloak
+    serviceAccount: vault-auth-keycloak
+    audiences:
+    - vault

infra/base/kustomization.yaml

@@ -23,3 +23,4 @@ resources:
 - databunker
 - homepage
 - vault
+- vault-secrets-operator

infra/base/renovate/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - renovate.yaml
-- renovate-env-sealed.yaml
+- vault-auth.yaml
+- renovate-env-vault.yaml
+# Removed: renovate-env-sealed.yaml (migrated to VSO)

infra/base/renovate/renovate-env-vault.yaml

@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: renovate-env
+  namespace: renovate
+spec:
+  type: kv-v2
+  mount: kv
+  path: renovate/renovate-env
+  destination:
+    name: renovate-env
+    create: true
+    type: Opaque
+    labels:
+      allowedToBeCloned: "true"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/renovate/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-renovate
+  namespace: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: renovate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-renovate
+    serviceAccount: vault-auth-renovate
+    audiences:
+    - vault

infra/base/sealedsecrets/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - sealedsecrets.yaml
-- argocd-forte-helm-secret-sealed.yaml
+# Removed: argocd-forte-helm-secret-sealed.yaml (migrated to VSO — now in cluster-resources/)

infra/base/vault-secrets-operator/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- vault-secrets-operator.yaml

infra/base/vault-secrets-operator/vault-secrets-operator.yaml

@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-secrets-operator
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    app.kubernetes.io/name: vault-secrets-operator
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://helm.releases.hashicorp.com
+    chart: vault-secrets-operator
+    targetRevision: "0.10.0"
+    helm:
+      releaseName: vault-secrets-operator
+      valueFiles:
+      - $values/infra/values/base/vault-secrets-operator-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vault-secrets-operator-system
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/overlays/upc-dev/kustomization.yaml

@@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
-- entra-upc-dev-credentials-sealed.yaml
+- microsoft-idp-credentials-vault.yaml
+# Removed: entra-upc-dev-credentials-sealed.yaml (migrated to VSO)
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

infra/overlays/upc-dev/microsoft-idp-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: microsoft-idp-credentials
+  namespace: keycloak
+spec:
+  type: kv-v2
+  mount: kv
+  path: keycloak/microsoft-idp-credentials
+  destination:
+    name: microsoft-idp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/values/base/vault-secrets-operator-values.yaml

@@ -0,0 +1,19 @@
+# Vault Secrets Operator Helm values
+# Docs: https://developer.hashicorp.com/vault/docs/platform/k8s/vso
+
+# Default Vault connection — used by VaultAuth CRDs that don't specify one
+defaultVaultConnection:
+  enabled: true
+  address: http://vault.vault.svc.cluster.local:8200
+
+# Default auth method — Kubernetes auth
+defaultAuthMethod:
+  enabled: true
+  namespace: ""
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: vso-operator
+    serviceAccount: default
+    audiences:
+    - vault