From 6aba9bf11b15b28e790cdeced9dbe73a0062a8f6 Mon Sep 17 00:00:00 2001
From: Jack Jackson <scubbojj@gmail.com>
Date: Fri, 18 Apr 2025 12:09:23 -0700
Subject: [PATCH] Try using Vault Sidecar Injection

Referencing
[here](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar#configure-kubernetes-authentication),
comparing with the Secrets Operator that I used
[here](https://blog.scubbo.org/posts/base-app-infrastructure/). I
_think_ I prefer this because:

* It doesn't create a Kubernetes secret (which is, contrary to
  expectation, [not entirely
  secure](https://kubernetes.io/docs/concepts/configuration/secret/))
* The YAML/template changes required are smaller
* It looks like it _might_ be able to write a whole Vault path as a
  single file, rather than one-file-per-key - though it'll need some
  template wizardry (in a follow-on commit) to format that right.
---
 charts/edh-elo/values.yaml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/charts/edh-elo/values.yaml b/charts/edh-elo/values.yaml
index ea1c45e..ae95273 100644
--- a/charts/edh-elo/values.yaml
+++ b/charts/edh-elo/values.yaml
@@ -5,6 +5,10 @@ image:
 extraEnv:
   - name: DATABASE_URL
     value: postgresql://db_user:pass@edh-elo-postgresql/postgres
+  - name: SPREADSHEET_ID
+    value: 1ITgXXfq7KaNP8JTQMvoZJSbu7zPpCcfNio_aooULRfc
+  - name: PATH_TO_GOOGLE_SHEETS_CREDENTIALS
+    value: /vault/secrets/google-credentials.json
 postgresql:
   auth:
     existing-secret: edh-elo-postgresql
@@ -33,7 +37,14 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
-podAnnotations: {}
+podAnnotations:
+  vault.hashicorp.com/agent-inject: "true"
+  vault.hashicorp.com/role: "edh-elo"
+  vault.hashicorp.com/agent-inject-secret-google-credentials.json: "edh-elo/data/google-credentials"
+  # vault.hashicorp.com/agent-inject-template-google-credentials.json: |
+  #   {{- with secret "edh-elo/data/google-credentials" -}}
+  #   {{- .Data | b64enc -}}
+  #   {{- end -}}
 podSecurityContext: {}
 # fsGroup: 2000