From 7a0d2032a135c223b5c91d6935042827492fbecf Mon Sep 17 00:00:00 2001
From: Patricia Salajova <salajova.p@gmail.com>
Date: Thu, 21 May 2026 12:22:53 +0200
Subject: [PATCH] Set Vault to read-only and scale down
 secret-collection-manager (selfservice)

---
 clusters/app.ci/vault/manifests.yaml                 | 1 +
 clusters/app.ci/vault/secret-collection-manager.yaml | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/clusters/app.ci/vault/manifests.yaml b/clusters/app.ci/vault/manifests.yaml
index a659fe9ea1c78..cff0ba573ff68 100644
--- a/clusters/app.ci/vault/manifests.yaml
+++ b/clusters/app.ci/vault/manifests.yaml
@@ -195,6 +195,7 @@ spec:
         - -vault-role=vault-subpath-proxy
         - --kubeconfig-dir=/etc/build-farm-credentials
         - --kubeconfig-suffix=config
+        - -read-only
         volumeMounts:
         - name: serving-cert
           mountPath: /var/run/serving-cert
diff --git a/clusters/app.ci/vault/secret-collection-manager.yaml b/clusters/app.ci/vault/secret-collection-manager.yaml
index 1c63b5a7c1ded..00f796f051017 100644
--- a/clusters/app.ci/vault/secret-collection-manager.yaml
+++ b/clusters/app.ci/vault/secret-collection-manager.yaml
@@ -17,7 +17,7 @@ metadata:
     keel.sh/trigger: poll
     keel.sh/pollSchedule: "@every 5m"
 spec:
-  replicas: 2
+  replicas: 0
   strategy:
     type: RollingUpdate
   selector: