---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: matrix
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: tuwunel-secrets
  namespace: matrix
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: tuwunel
  refreshAfter: 60s
  destination:
    name: tuwunel-secrets
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        TUWUNEL_OIDC_CLIENT_ID:
          text: "{{ index .Secrets \"oidc-client-id\" }}"
        TUWUNEL_OIDC_CLIENT_SECRET:
          text: "{{ index .Secrets \"oidc-client-secret\" }}"
        TUWUNEL_TURN_SECRET:
          text: "{{ index .Secrets \"turn-secret\" }}"
        TUWUNEL_REGISTRATION_TOKEN:
          text: "{{ index .Secrets \"registration-token\" }}"