---
# VaultAuth for VSO to authenticate in the data namespace.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: data
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
# Scaleway S3 credentials for CNPG barman backups.
# OpenBao KV path: secret/scaleway-s3 (keys: access-key-id, secret-access-key)
# Seeded by: sunbeam seed (reads from scw CLI config)
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: barman-s3-creds
  namespace: data
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: scaleway-s3
  refreshAfter: 30s
  destination:
    name: barman-s3-creds
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        ACCESS_KEY_ID:
          text: "{{ index .Secrets \"access-key-id\" }}"
        ACCESS_SECRET_KEY:
          text: "{{ index .Secrets \"secret-access-key\" }}"