docs: Update all documentation with Vault credential requirements

Updated comprehensive documentation across README, QUICKSTART, and
MIGRATION_GUIDE to clarify that Renovate credentials are stored in
HashiCorp Vault, not passed as Terraform variables.

Changes to README.md:
- Added detailed Vault setup section in Gitea Bot Setup
- Documented all 5 required keys in secret/renovate path
- Added vault kv put example with all required fields
- Added token regeneration instructions
- Clarified prerequisites to include Vault secret requirements
- Emphasized CRITICAL nature of Vault storage

Changes to QUICKSTART.md:
- Added comprehensive Step 3: Store Credentials in Vault
- Included complete vault kv put command with all keys
- Added verification steps with expected output
- Listed common mistakes to avoid (missing username, wrong endpoint, etc.)
- Updated Step 4 to clarify tfvars only needs Vault auth
- Renumbered subsequent steps (5-9)
- Added environment variable verification in Step 6
- Added troubleshooting steps for authentication errors

Changes to MIGRATION_GUIDE.md:
- Clearly separated Vault-stored config from Terraform variables
- Added vault kv put example in New Required Configuration section
- Updated migration steps to include Vault credential storage
- Clarified that renovate_endpoint and renovate_token are NOT tfvars
- Listed all 5 required Vault keys with descriptions

These changes address the authentication failures caused by:
- Missing renovate_username in environment variables
- Confusion about where credentials should be stored
- Token regeneration without updating Vault

All documentation now consistently emphasizes the Vault-first approach
and provides clear, copy-paste-ready commands for proper setup.

MIGRATION_GUIDE.md

@@ -43,21 +43,35 @@ This module has been completely repurposed from deploying Ansible Event-Driven A
 - `upload_example_rulebook` → Use `upload_config_file` instead
 - `cpu_limit` → Removed (can be added back if needed)
 
-#### New Required Variables
+#### New Required Configuration (Stored in Vault)
 
+**CRITICAL**: The following values are NOT Terraform variables. They must be stored in HashiCorp Vault at path `secret/renovate`:
+
+- `renovate_platform` - Must be "gitea"
 - `renovate_endpoint` - Gitea API endpoint (e.g., `https://gitea.example.com/api/v1/`)
 - `renovate_token` - Gitea personal access token for the bot
+- `renovate_git_author` - Git commit author (e.g., "Renovate Bot <bot@example.com>")
+- `renovate_username` - Bot username (e.g., "renovate-bot")
 
-#### New Optional Variables
+**Store in Vault using:**
+```bash
+vault kv put secret/renovate \
+  renovate_platform="gitea" \
+  renovate_endpoint="https://gitea.example.com/api/v1/" \
+  renovate_token="YOUR_GITEA_TOKEN" \
+  renovate_git_author="Renovate Bot <renovate-bot@example.com>" \
+  renovate_username="renovate-bot"
+```
 
-- `renovate_platform` - Git platform (default: "gitea")
-- `renovate_git_author` - Git commit author
-- `renovate_username` - Bot username
-- `renovate_autodiscover` - Enable auto-discovery
-- `renovate_onboarding_config` - Onboarding configuration
-- `github_com_token` - Optional GitHub.com token
-- `restart_policy` - Container restart policy
-- `upload_config_file` - Upload config.js template
+#### New Optional Variables (Terraform)
+
+- `github_com_token` - Optional GitHub.com token for changelog fetching
+- `restart_policy` - Container restart policy (default: "unless-stopped")
+- `upload_config_file` - Upload config.js template (default: true)
+- `renovate_autodiscover` - Enable auto-discovery (default: true)
+- `renovate_onboarding_config` - Onboarding configuration JSON
+- `log_level` - Logging level (default: "info")
+- `extra_env_vars` - Additional environment variables
 
 ### 6. Configuration Files
 
@@ -88,10 +102,28 @@ This is the safest approach if you don't need to preserve the existing infrastru
    terraform destroy
    ```
 
-3. **Update Configuration**:
-   - Update `terraform.tfvars` with new variables
-   - Add `renovate_endpoint` and `renovate_token`
+3. **Store Renovate Credentials in Vault**:
+   ```bash
+   # Authenticate to Vault
+   export VAULT_ADDR="https://your-vault-server:8200"
+   vault login -method=approle role_id=YOUR_ROLE_ID secret_id=YOUR_SECRET_ID
+
+   # Store Renovate credentials
+   vault kv put secret/renovate \
+     renovate_platform="gitea" \
+     renovate_endpoint="https://gitea.example.com/api/v1/" \
+     renovate_token="YOUR_GITEA_TOKEN" \
+     renovate_git_author="Renovate Bot <renovate-bot@example.com>" \
+     renovate_username="renovate-bot"
+
+   # Verify
+   vault kv get secret/renovate
+   ```
+
+4. **Update Configuration**:
+   - Update `terraform.tfvars` with only Vault credentials
    - Remove old EDA-specific variables
+   - Do NOT add `renovate_endpoint` or `renovate_token` to tfvars (they're in Vault)
 
 4. **Initialize and Deploy**:
    ```bash

QUICKSTART.md

@@ -29,28 +29,74 @@ This is a quick reference for getting Renovate up and running with Gitea.
    - ☑️ `user` (Read)
    - ☑️ `issue` (Read and Write)
    - ☑️ `organization` (Read)
-5. Generate and **save the token securely**
+5. Click **Generate Token**
+6. **IMMEDIATELY COPY THE TOKEN** - You won't be able to see it again!
+7. Save the token securely - you'll need it for the next step
 
-## Step 3: Configure terraform.tfvars
+## Step 3: Store Credentials in HashiCorp Vault
 
-Edit `terraform.tfvars` and update:
+**CRITICAL**: This module retrieves all Renovate configuration from Vault, NOT from Terraform variables.
+
+```bash
+# Set your Vault address
+export VAULT_ADDR="https://your-vault-server:8200"
+
+# Authenticate to Vault using AppRole
+vault login -method=approle \
+  role_id=YOUR_VAULT_ROLE_ID \
+  secret_id=YOUR_VAULT_SECRET_ID
+
+# Store all Renovate credentials in Vault
+vault kv put secret/renovate \
+  renovate_platform="gitea" \
+  renovate_endpoint="https://gitea.bsdserver.nl/api/v1/" \
+  renovate_token="YOUR_TOKEN_FROM_STEP_2" \
+  renovate_git_author="Renovate Bot <renovate-bot@bsdserver.nl>" \
+  renovate_username="renovate-bot"
+
+# IMPORTANT: Verify the secrets were stored correctly
+vault kv get secret/renovate
+```
+
+**Expected output:**
+```
+====== Data ======
+Key                    Value
+---                    -----
+renovate_platform      gitea
+renovate_endpoint      https://gitea.bsdserver.nl/api/v1/
+renovate_token         <your-token>
+renovate_git_author    Renovate Bot <renovate-bot@bsdserver.nl>
+renovate_username      renovate-bot
+```
+
+**⚠️ Common Mistakes to Avoid:**
+- ❌ Endpoint without trailing `/api/v1/`
+- ❌ Forgetting the `renovate_username` key
+- ❌ Using wrong Vault path (must be `secret/renovate`)
+- ❌ Token with insufficient scopes
+
+**If you need to update the token later:**
+```bash
+vault kv patch secret/renovate renovate_token="NEW_TOKEN_HERE"
+```
+
+## Step 4: Configure terraform.tfvars
+
+Edit `terraform.tfvars` and update only these values:
 
 ```hcl
-# Renovate Configuration
-domain              = "bsdserver.nl"
+# Vault Authentication (required)
 role_id   = "your-vault-role-id"
 secret_id = "your-vault-secret-id"
 
-# Gitea Configuration
-renovate_endpoint   = "https://gitea.bsdserver.nl/api/v1/"
-renovate_token      = "your-gitea-token-from-step-2"
-renovate_git_author = "Renovate Bot <renovate-bot@bsdserver.nl>"
-renovate_username   = "renovate-bot"
+# Optional: Domain configuration
+domain = "bsdserver.nl"
 ```
 
-**Important**: Replace `your-gitea-token-from-step-2` with the actual token from Step 2.
+**Note**: `renovate_endpoint`, `renovate_token`, `renovate_git_author`, and `renovate_username` are NOT Terraform variables - they come from Vault!
 
-## Step 4: Deploy Renovate
+## Step 5: Deploy Renovate
 
 ```bash
 # Initialize Terraform
@@ -65,22 +111,39 @@ terraform apply
 
 Type `yes` when prompted to confirm.
 
-## Step 5: Verify Deployment
+## Step 6: Verify Deployment
 
 ```bash
 # Check container is running
 docker ps | grep renovate
 
-# View logs
+# View logs (watch for errors)
 docker logs renovate -f
+
+# Check environment variables are set correctly
+docker exec renovate env | grep RENOVATE
 ```
 
-Look for messages like:
+**Expected environment variables:**
+- ✅ `RENOVATE_PLATFORM=gitea`
+- ✅ `RENOVATE_ENDPOINT=https://gitea.bsdserver.nl/api/v1/`
+- ✅ `RENOVATE_TOKEN=<your-token>`
+- ✅ `RENOVATE_GIT_AUTHOR=Renovate Bot <renovate-bot@bsdserver.nl>`
+- ✅ `RENOVATE_USERNAME=renovate-bot`
+- ✅ `RENOVATE_AUTODISCOVER=true`
+
+**Look for SUCCESS messages in logs:**
 - ✅ "Platform: gitea"
 - ✅ "Autodiscovering repositories"
 - ✅ "Repository: owner/repo"
 
-## Step 6: Add Renovate to a Test Repository
+**❌ If you see authentication errors:**
+1. Verify the token is correct in Vault: `vault kv get secret/renovate`
+2. Check the token hasn't expired in Gitea
+3. Verify all 5 required keys are in Vault (especially `renovate_username`)
+4. Ensure the endpoint URL ends with `/api/v1/`
+
+## Step 7: Add Renovate to a Test Repository
 
 1. Navigate to a test repository in Gitea
 2. Add `renovate-bot` as a collaborator with **Write** access
@@ -98,7 +161,7 @@ Look for messages like:
 
 4. Commit and push
 
-## Step 7: Wait for Onboarding PR
+## Step 8: Wait for Onboarding PR
 
 Within a few minutes (depends on your container restart schedule), Renovate will:
 
@@ -108,7 +171,7 @@ Within a few minutes (depends on your container restart schedule), Renovate will
 
 **Review and merge the onboarding PR** to activate Renovate.
 
-## Step 8: Configure Scheduling (Optional)
+## Step 9: Configure Scheduling (Optional)
 
 Choose one of these methods:
 

README.md

@@ -66,6 +66,7 @@ Before using this module, ensure you have:
 7. **HashiCorp Vault**: Running instance with:
    - AppRole authentication enabled
    - DNS credentials stored at `secret/dns`
+   - Renovate credentials stored at `secret/renovate` (see Vault Setup section)
    - Role ID and Secret ID for authentication
 8. **MinIO/S3 Backend**: For Terraform state storage
 9. **DNS Server**: Supporting dynamic updates (TSIG authentication) - optional
@@ -92,9 +93,43 @@ In your Gitea instance:
    - `user` (Read)
    - `issue` (Read and Write)
    - `organization` (Read)
-5. Save the token securely - you'll need it for the `renovate_token` variable
+5. **IMPORTANT**: Copy the token immediately - you won't be able to see it again
+6. Save the token securely - you'll need it for Vault storage (next step)
 
-### 3. Configure Repository Access
+### 3. Store Credentials in Vault
+
+**CRITICAL**: All Renovate configuration must be stored in Vault at `secret/renovate` before deploying this module.
+
+```bash
+# Authenticate to Vault
+export VAULT_ADDR="https://your-vault-server:8200"
+vault login -method=approle role_id=YOUR_ROLE_ID secret_id=YOUR_SECRET_ID
+
+# Store Renovate credentials in Vault
+vault kv put secret/renovate \
+  renovate_platform="gitea" \
+  renovate_endpoint="https://gitea.example.com/api/v1/" \
+  renovate_token="YOUR_GITEA_TOKEN_FROM_STEP_2" \
+  renovate_git_author="Renovate Bot <renovate-bot@example.com>" \
+  renovate_username="renovate-bot"
+
+# Verify the secrets are stored correctly
+vault kv get secret/renovate
+```
+
+**Required Keys in `secret/renovate`:**
+- `renovate_platform` - Must be "gitea"
+- `renovate_endpoint` - Your Gitea API endpoint (must end with `/api/v1/`)
+- `renovate_token` - The Personal Access Token from Step 2
+- `renovate_git_author` - Git commit author for Renovate PRs
+- `renovate_username` - The Gitea username of the bot account
+
+**Note**: If you regenerate the Gitea token, you must update it in Vault:
+```bash
+vault kv patch secret/renovate renovate_token="NEW_TOKEN_HERE"
+```
+
+### 4. Configure Repository Access
 
 For each repository you want Renovate to manage: