---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: media
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
# LiveKit API keys — mounted as keys.yaml into livekit-server pod.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: livekit-api-credentials
  namespace: media
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: livekit
  refreshAfter: 30s
  rolloutRestartTargets:
    - kind: Deployment
      name: livekit-server
  destination:
    name: livekit-api-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        keys.yaml:
          text: '{{ index .Secrets "api-key" }}: {{ index .Secrets "api-secret" }}'