---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vso-auth
  namespace: lasuite
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso
    serviceAccount: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: seaweedfs-s3-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: seaweedfs
  refreshAfter: 30s
  destination:
    name: seaweedfs-s3-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        S3_ACCESS_KEY:
          text: "{{ index .Secrets \"access-key\" }}"
        S3_SECRET_KEY:
          text: "{{ index .Secrets \"secret-key\" }}"
---
# Hive DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: hive-db-url
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/hive
  refreshAfter: 1h
  rolloutRestartTargets:
    - kind: Deployment
      name: hive
  destination:
    name: hive-db-url
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        url:
          text: "postgresql://{{ index .Secrets \"username\" }}:{{ index .Secrets \"password\" }}@postgres-rw.data.svc.cluster.local:5432/hive_db"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: hive-oidc
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: hive
  refreshAfter: 30s
  destination:
    name: hive-oidc
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        "client-id":
          text: "{{ index .Secrets \"oidc-client-id\" }}"
        "client-secret":
          text: "{{ index .Secrets \"oidc-client-secret\" }}"
---
# People DB credentials from OpenBao database secrets engine (static role, 24h rotation).
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: people-db-credentials
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/people
  refreshAfter: 1h
  rolloutRestartTargets:
    - kind: Deployment
      name: people-backend
    - kind: Deployment
      name: people-celery-worker
    - kind: Deployment
      name: people-celery-beat
  destination:
    name: people-db-credentials
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        password:
          text: "{{ index .Secrets \"password\" }}"
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: people-django-secret
  namespace: lasuite
spec:
  vaultAuthRef: vso-auth
  mount: secret
  type: kv-v2
  path: people
  refreshAfter: 30s
  destination:
    name: people-django-secret
    create: true
    overwrite: true
    transformation:
      excludeRaw: true
      templates:
        DJANGO_SECRET_KEY:
          text: "{{ index .Secrets \"django-secret-key\" }}"