--- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuth metadata: name: vso-auth namespace: storage spec: method: kubernetes mount: kubernetes kubernetes: role: vso serviceAccount: default --- # Scaleway S3 credentials for SeaweedFS remote sync. # Same KV path as barman; synced separately so storage namespace has its own Secret. apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: scaleway-s3-creds namespace: storage spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: scaleway-s3 refreshAfter: 30s destination: name: scaleway-s3-creds create: true overwrite: true transformation: excludeRaw: true templates: ACCESS_KEY_ID: text: "{{ index .Secrets \"access-key-id\" }}" SECRET_ACCESS_KEY: text: "{{ index .Secrets \"secret-access-key\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: seaweedfs-s3-credentials namespace: storage spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: seaweedfs refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: seaweedfs-filer destination: name: seaweedfs-s3-credentials create: true overwrite: true transformation: excludeRaw: true templates: S3_ACCESS_KEY: text: "{{ index .Secrets \"access-key\" }}" S3_SECRET_KEY: text: "{{ index .Secrets \"secret-key\" }}" --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: seaweedfs-s3-json namespace: storage spec: vaultAuthRef: vso-auth mount: secret type: kv-v2 path: seaweedfs refreshAfter: 30s rolloutRestartTargets: - kind: Deployment name: seaweedfs-filer destination: name: seaweedfs-s3-json create: true overwrite: true transformation: excludeRaw: true templates: "s3.json": text: '{"identities":[{"name":"seaweed","credentials":[{"accessKey":"{{ index .Secrets "access-key" }}","secretKey":"{{ index .Secrets "secret-key" }}"}],"actions":["Admin","Read","Write","List","Tagging"]}]}'