---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: matrix
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: tuwunel-secrets
  namespace: matrix
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: tuwunel
  refreshAfter: 60s
  destination:
    name: tuwunel-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        TUWUNEL_OIDC_CLIENT_ID:
          text: "{{ index .Secrets \"oidc-client-id\" }}"
        TUWUNEL_OIDC_CLIENT_SECRET:
          text: "{{ index .Secrets \"oidc-client-secret\" }}"
        TUWUNEL_TURN_SECRET:
          text: "{{ index .Secrets \"turn-secret\" }}"
        TUWUNEL_REGISTRATION_TOKEN:
          text: "{{ index .Secrets \"registration-token\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: sol-secrets
  namespace: matrix
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: sol
  refreshAfter: 60s
  rolloutRestartTargets:
    - kind: Deployment
      name: sol
  destination:
    name: sol-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        matrix-access-token:
          text: '{{ index .Secrets "matrix-access-token" }}'
        matrix-device-id:
          text: '{{ index .Secrets "matrix-device-id" }}'
        mistral-api-key:
          text: '{{ index .Secrets "mistral-api-key" }}'
        gitea-admin-username:
          text: '{{ index .Secrets "gitea-admin-username" }}'
        gitea-admin-password:
          text: '{{ index .Secrets "gitea-admin-password" }}'