From 551ddbec3bfd08cfc1ca6a338b343f2a55340c40 Mon Sep 17 00:00:00 2001
From: agatha <agatha@juggalol.com>
Date: Thu, 7 May 2026 17:49:48 -0400
Subject: [PATCH] Ops: Adjust deployment manifests for environment

---
 k8s/api/deployment.yaml     |  2 +-
 k8s/ingress.yaml            |  5 ++---
 k8s/minio/statefulset.yaml  |  1 -
 k8s/vault/api-secret.yaml   |  4 ++--
 k8s/vault/minio-secret.yaml |  4 ++--
 k8s/vault/vault-auth.yaml   | 14 ++++++++++----
 6 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/k8s/api/deployment.yaml b/k8s/api/deployment.yaml
index e5477ac..a3586a4 100644
--- a/k8s/api/deployment.yaml
+++ b/k8s/api/deployment.yaml
@@ -15,7 +15,7 @@ spec:
     spec:
       initContainers:
         - name: migrate
-          image: reactbin-api:latest
+          image: git.juggalol.com/juggalol/reactbin-api:v1.0.0
           command: ["alembic", "upgrade", "head"]
           workingDir: /app
           envFrom:
diff --git a/k8s/ingress.yaml b/k8s/ingress.yaml
index 977dc25..97901f2 100644
--- a/k8s/ingress.yaml
+++ b/k8s/ingress.yaml
@@ -1,4 +1,3 @@
-# Replace <your-domain> with the real domain before applying
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -11,10 +10,10 @@ spec:
   ingressClassName: nginx
   tls:
     - hosts:
-        - <your-domain>
+        - reactbin.juggalol.com
       secretName: reactbin-tls
   rules:
-    - host: <your-domain>
+    - host: reactbin.juggalol.com
       http:
         paths:
           # /api/ must appear before / — nginx evaluates paths in declaration order
diff --git a/k8s/minio/statefulset.yaml b/k8s/minio/statefulset.yaml
index 90dbed4..17d0395 100644
--- a/k8s/minio/statefulset.yaml
+++ b/k8s/minio/statefulset.yaml
@@ -1,4 +1,3 @@
-# Replace 'latest' with the real image tag before applying
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
diff --git a/k8s/vault/api-secret.yaml b/k8s/vault/api-secret.yaml
index f7b7ad7..b965363 100644
--- a/k8s/vault/api-secret.yaml
+++ b/k8s/vault/api-secret.yaml
@@ -4,8 +4,8 @@ metadata:
   name: api-secret
   namespace: reactbin
 spec:
-  vaultAuthRef: reactbin-auth
-  mount: secret
+  vaultAuthRef: reactbin-vault-auth
+  mount: kv
   type: kv-v2
   # Required Vault keys at this path:
   #   DATABASE_URL, JWT_SECRET_KEY, OWNER_USERNAME, OWNER_PASSWORD,
diff --git a/k8s/vault/minio-secret.yaml b/k8s/vault/minio-secret.yaml
index f187925..e6b6722 100644
--- a/k8s/vault/minio-secret.yaml
+++ b/k8s/vault/minio-secret.yaml
@@ -4,8 +4,8 @@ metadata:
   name: minio-secret
   namespace: reactbin
 spec:
-  vaultAuthRef: reactbin-auth
-  mount: secret
+  vaultAuthRef: reactbin-vault-auth
+  mount: kv
   type: kv-v2
   # Required Vault keys at this path:
   #   MINIO_ROOT_USER, MINIO_ROOT_PASSWORD
diff --git a/k8s/vault/vault-auth.yaml b/k8s/vault/vault-auth.yaml
index 30ac590..c488eb6 100644
--- a/k8s/vault/vault-auth.yaml
+++ b/k8s/vault/vault-auth.yaml
@@ -1,7 +1,13 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vso-reactbin
+  namespace: reactbin
+---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
-  name: reactbin-auth
+  name: reactbin-vault-auth
   namespace: reactbin
 spec:
   method: kubernetes
@@ -10,7 +16,7 @@ spec:
     # The operator must create this role in Vault and bind it to the
     # default service account in the reactbin namespace with read access
     # to both reactbin/api/config and reactbin/minio/credentials.
-    role: reactbin
-    serviceAccount: default
+    role: vso-reactbin
+    serviceAccount: vso-reactbin
     audiences:
-      - https://kubernetes.default.svc
+      - vault