From b856fd2bc5dd047ca93809bd102315cf867740d3 Mon Sep 17 00:00:00 2001
From: Jack Jackson <scubbojj@gmail.com>
Date: Sun, 21 Apr 2024 12:27:53 -0700
Subject: [PATCH] Set up Vault Secrets Operator

Prerequisite that Vault is configured with authentication per
https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator#configure-vault

The plan would eventually be to manage Vault objects via
[Crossplane](https://www.crossplane.io/).
---
 app-of-apps/vault-secrets-operator.jsonnet | 38 ++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 app-of-apps/vault-secrets-operator.jsonnet

diff --git a/app-of-apps/vault-secrets-operator.jsonnet b/app-of-apps/vault-secrets-operator.jsonnet
new file mode 100644
index 0000000..3789379
--- /dev/null
+++ b/app-of-apps/vault-secrets-operator.jsonnet
@@ -0,0 +1,38 @@
+// https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator
+//
+// Note that this has a prerequiste that the Vault system has been configured with appropriate
+// authentication first. In particular, the specification of the set of namespaces that secrets can be synced to is set
+// in `bound_service_account_namespaces` in the Vault role.
+local appDef = import './app-definitions.libsonnet';
+
+appDef.helmApplication(
+    name="vault-secrets-operator",
+    sourceRepoUrl="https://helm.releases.hashicorp.com",
+    sourceChart="vault-secrets-operator",
+    sourceTargetRevision="0.5.2",
+    namespace="vault-secrets-operator-system",
+    helmValues={
+        defaultVaultConnection: {
+            enabled: true,
+            address: "http://vault.vault.svc.cluster.local:8200",
+            skipTLSVerify: false
+        },
+        controller: {
+            manager: {
+                clientCache: {
+                    persistenceModel: "direct-encrypted",
+                    storageEncryption: {
+                        enabled: true,
+                        mount: "demo-auth-mount",
+                        keyName: "vso-client-cache",
+                        transitMount: "demo-transit",
+                        kubernetes: {
+                            role: "auth-role-operator",
+                            serviceAccount: "demo-operator"
+                        }
+                    }
+                }
+            }
+        }
+    }
+)