vault migration

infra/overlays/upc-dev/kustomization.yaml

@@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
-- entra-upc-dev-credentials-sealed.yaml
+- microsoft-idp-credentials-vault.yaml
+# Removed: entra-upc-dev-credentials-sealed.yaml (migrated to VSO)
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

infra/overlays/upc-dev/microsoft-idp-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: microsoft-idp-credentials
+  namespace: keycloak
+spec:
+  type: kv-v2
+  mount: kv
+  path: keycloak/microsoft-idp-credentials
+  destination:
+    name: microsoft-idp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth