From c22151e766fd296730ac770aa79a7a41c0f27c44 Mon Sep 17 00:00:00 2001
From: Kochetkov S <kochetkov.s@sarex.io>
Date: Wed, 17 Jun 2026 21:49:03 +0300
Subject: [PATCH] Add explicit vault inject for brusnika prod openobserve

---
 .../infrastructure/patches/openobserve.yaml   | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/clusters/brusnika-prod/infrastructure/patches/openobserve.yaml b/clusters/brusnika-prod/infrastructure/patches/openobserve.yaml
index 108f54c..ddae1fe 100644
--- a/clusters/brusnika-prod/infrastructure/patches/openobserve.yaml
+++ b/clusters/brusnika-prod/infrastructure/patches/openobserve.yaml
@@ -18,6 +18,43 @@ spec:
               - op: add
                 path: /spec/template/metadata/annotations/sidecar.istio.io~1inject
                 value: "false"
+              - op: add
+                path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-init-first
+                value: "true"
+              - op: add
+                path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject
+                value: "true"
+              - op: add
+                path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-pre-populate-only
+                value: "true"
+              - op: add
+                path: /spec/template/metadata/annotations/vault.hashicorp.com~1auth-path
+                value: auth/kubernetes
+              - op: add
+                path: /spec/template/metadata/annotations/vault.hashicorp.com~1role
+                value: openobserve
+              - op: add
+                path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject-secret-openobserve-env
+                value: secrets/data/vault/apps/openobserve
+              - op: add
+                path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject-template-openobserve-env
+                value: |-
+                  {{- with secret "secrets/data/vault/apps/openobserve" -}}
+                  ZO_ROOT_USER_EMAIL={{ printf "%q" (index .Data.data "ZO_ROOT_USER_EMAIL") }}
+                  ZO_ROOT_USER_PASSWORD={{ printf "%q" (index .Data.data "ZO_ROOT_USER_PASSWORD") }}
+                  ZO_META_POSTGRES_DSN={{ printf "%q" (index .Data.data "ZO_META_POSTGRES_DSN") }}
+                  ZO_NATS_ADDR={{ printf "%q" (index .Data.data "ZO_NATS_ADDR") }}
+                  PGHOST={{ printf "%q" (index .Data.data "PGHOST") }}
+                  PGPORT={{ printf "%q" (index .Data.data "PGPORT") }}
+                  PGDATABASE={{ printf "%q" (index .Data.data "PGDATABASE") }}
+                  PGUSER={{ printf "%q" (index .Data.data "PGUSER") }}
+                  PGPASSWORD={{ printf "%q" (index .Data.data "PGPASSWORD") }}
+                  PGSSLMODE={{ printf "%q" (index .Data.data "PGSSLMODE") }}
+                  PGSSLROOTCERT={{ printf "%q" (index .Data.data "PGSSLROOTCERT") }}
+                  ZO_S3_ACCESS_KEY={{ printf "%q" (index .Data.data "ZO_S3_ACCESS_KEY") }}
+                  ZO_S3_SECRET_KEY={{ printf "%q" (index .Data.data "ZO_S3_SECRET_KEY") }}
+                  OPENOBSERVE_BASIC_AUTH={{ printf "%q" (index .Data.data "OPENOBSERVE_BASIC_AUTH") }}
+                  {{- end -}}
               - op: add
                 path: /spec/template/spec/imagePullSecrets
                 value: