Set up Vault Secrets Operator

Prerequisite that Vault is configured with authentication per
https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator#configure-vault

The plan would eventually be to manage Vault objects via
[Crossplane](https://www.crossplane.io/).

app-of-apps/vault-secrets-operator.jsonnet

@@ -0,0 +1,38 @@
+// https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator
+//
+// Note that this has a prerequiste that the Vault system has been configured with appropriate
+// authentication first. In particular, the specification of the set of namespaces that secrets can be synced to is set
+// in `bound_service_account_namespaces` in the Vault role.
+local appDef = import './app-definitions.libsonnet';
+
+appDef.helmApplication(
+    name="vault-secrets-operator",
+    sourceRepoUrl="https://helm.releases.hashicorp.com",
+    sourceChart="vault-secrets-operator",
+    sourceTargetRevision="0.5.2",
+    namespace="vault-secrets-operator-system",
+    helmValues={
+        defaultVaultConnection: {
+            enabled: true,
+            address: "http://vault.vault.svc.cluster.local:8200",
+            skipTLSVerify: false
+        },
+        controller: {
+            manager: {
+                clientCache: {
+                    persistenceModel: "direct-encrypted",
+                    storageEncryption: {
+                        enabled: true,
+                        mount: "demo-auth-mount",
+                        keyName: "vso-client-cache",
+                        transitMount: "demo-transit",
+                        kubernetes: {
+                            role: "auth-role-operator",
+                            serviceAccount: "demo-operator"
+                        }
+                    }
+                }
+            }
+        }
+    }
+)