From 7cab3859b4de14dfb346f620ddcc4e409f659e60 Mon Sep 17 00:00:00 2001
From: Johannes Reichhardt <johannes.reichhardt@gmail.com>
Date: Tue, 31 Mar 2026 19:03:36 -0500
Subject: [PATCH] Security Hardening: Migrate to External Secrets and dedicated
 Service Account with Workload Identity

---
 k8s/deployment.yaml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index 1274944..8036bcb 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -1,3 +1,39 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: txt2md-sa
+  namespace: default
+  annotations:
+    iam.gke.io/gcp-service-account: "txt2md-app-gsa@project-84ddd43d-e408-4cb9-8cb.iam.gserviceaccount.com"
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: gcp-store
+  namespace: default
+spec:
+  provider:
+    gcpsm:
+      projectID: project-84ddd43d-e408-4cb9-8cb
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: txt2md-api-key
+  namespace: default
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: gcp-store
+    kind: SecretStore
+  target:
+    name: txt2md-secrets # This matches the Secret name expected by the Deployment
+    creationPolicy: Owner
+  data:
+  - secretKey: ai-api-key
+    remoteRef:
+      key: gemini-api-key
+---
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
@@ -30,6 +66,7 @@ spec:
       labels:
         app: txt2md
     spec:
+      serviceAccountName: txt2md-sa
       containers:
       - name: txt2md
         image: europe-west3-docker.pkg.dev/project-84ddd43d-e408-4cb9-8cb/txt2md-repo/txt2md:v1.0.4