From 22ae1a5f7f951fdc797fc292a31876b5ade767e5 Mon Sep 17 00:00:00 2001
From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com>
Date: Tue, 27 Jan 2026 22:05:09 +0100
Subject: [PATCH] chore(k8s-wheatley): Use Vault SecretStore

---
 .../clustersecrets.yaml                       | 20 +++++++++-------
 .../kustomization.yaml                        | 10 +++++++-
 .../external-secrets-operator/namespace.yaml  |  0
 .../secretstore.yaml                          | 24 +++++++++++++++++++
 .../kustomization.yaml                        | 14 -----------
 .../secretstore.yaml                          | 14 -----------
 6 files changed, 44 insertions(+), 38 deletions(-)
 rename {kustomize-bases => k8s-wheatley}/external-secrets-operator/namespace.yaml (100%)
 create mode 100644 k8s-wheatley/external-secrets-operator/secretstore.yaml
 delete mode 100644 kustomize-bases/external-secrets-operator/kustomization.yaml
 delete mode 100644 kustomize-bases/external-secrets-operator/secretstore.yaml

diff --git a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml
index 74fa2eb..ea424ae 100644
--- a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml
+++ b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml
@@ -10,7 +10,7 @@ spec:
         kubernetes.io/metadata.name: kube-system
   externalSecretSpec:
     secretStoreRef:
-      name: 1password-wheatley
+      name: vault-wheatley
       kind: ClusterSecretStore
     target:
       name: tls-wildcard-wheatley-in
@@ -20,15 +20,17 @@ spec:
           tls.crt: "{{ .crt }}"
           tls.key: "{{ .key }}"
     data:
-      - secretKey: key
-        remoteRef:
-          key: tls-wildcard-wheatley-in/key
-          metadataPolicy: None
-          conversionStrategy: Default
-          decodingStrategy: None
       - secretKey: crt
         remoteRef:
-          key: tls-wildcard-wheatley-in/crt
-          metadataPolicy: None
+          key: secrets/provisioned/tls-wildcard-wheatley-in
+          property: crt
           conversionStrategy: Default
           decodingStrategy: None
+          metadataPolicy: None
+      - secretKey: key
+        remoteRef:
+          key: secrets/provisioned/tls-wildcard-wheatley-in
+          property: key
+          conversionStrategy: Default
+          decodingStrategy: None
+          metadataPolicy: None
diff --git a/k8s-wheatley/external-secrets-operator/kustomization.yaml b/k8s-wheatley/external-secrets-operator/kustomization.yaml
index 16d5852..0604d96 100644
--- a/k8s-wheatley/external-secrets-operator/kustomization.yaml
+++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml
@@ -3,5 +3,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../kustomize-bases/external-secrets-operator
+  - namespace.yaml
+  - secretstore.yaml
   - clustersecrets.yaml
+
+helmCharts:
+  - name: external-secrets
+    repo: https://charts.external-secrets.io
+    namespace: external-secrets
+    releaseName: external-secrets
+    version: 1.0.0
diff --git a/kustomize-bases/external-secrets-operator/namespace.yaml b/k8s-wheatley/external-secrets-operator/namespace.yaml
similarity index 100%
rename from kustomize-bases/external-secrets-operator/namespace.yaml
rename to k8s-wheatley/external-secrets-operator/namespace.yaml
diff --git a/k8s-wheatley/external-secrets-operator/secretstore.yaml b/k8s-wheatley/external-secrets-operator/secretstore.yaml
new file mode 100644
index 0000000..2fdc7d2
--- /dev/null
+++ b/k8s-wheatley/external-secrets-operator/secretstore.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault-wheatley
+  namespace: external-secrets
+spec:
+  provider:
+    vault:
+      server: "https://vault.wheatley.in"
+      namespace: "wheatley"
+      path: "kv/k8s_wheatley"
+      version: "v2"
+      auth:
+        appRole:
+          path: approle
+          roleRef:
+            namespace: external-secrets
+            name: vault-wheatley-approle
+            key: approle_id
+          secretRef:
+            namespace: external-secrets
+            name: vault-wheatley-approle
+            key: approle_secret
diff --git a/kustomize-bases/external-secrets-operator/kustomization.yaml b/kustomize-bases/external-secrets-operator/kustomization.yaml
deleted file mode 100644
index 9dc89ef..0000000
--- a/kustomize-bases/external-secrets-operator/kustomization.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - secretstore.yaml
-
-helmCharts:
-  - name: external-secrets
-    repo: https://charts.external-secrets.io
-    namespace: external-secrets
-    releaseName: external-secrets
-    version: 1.0.0
diff --git a/kustomize-bases/external-secrets-operator/secretstore.yaml b/kustomize-bases/external-secrets-operator/secretstore.yaml
deleted file mode 100644
index ef27680..0000000
--- a/kustomize-bases/external-secrets-operator/secretstore.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: external-secrets.io/v1
-kind: ClusterSecretStore
-metadata:
-  name: 1password-wheatley
-spec:
-  provider:
-    onepasswordSDK:
-      vault: wheatley
-      auth:
-        serviceAccountSecretRef:
-          namespace: external-secrets
-          name: 1password-token-wheatley
-          key: token