local appDef = import './app-definitions.libsonnet';

[
appDef.localApplication(name="drone"),

// TODO - maybe extract this, too?
{
    apiVersion: "secrets.hashicorp.com/v1beta1",
    kind: "VaultAuth",
    metadata: {
        name: "static-auth",
        namespace: "drone"
    },
    spec: {
        method: "kubernetes",
        mount: "kubernetes",
        kubernetes: {
            role: "vault-secrets-operator",
            serviceAccount: "default",
            audiences: ["vault"]
        }
    }
},

// Note that currently this secret is created manually and statically. It'd be really cool for cold-start setup if OAuth
// App creation could be triggered at Gitea startup, and a secret automatically created!
{
    apiVersion: "secrets.hashicorp.com/v1beta1",
    kind: "VaultStaticSecret",
    metadata: {
        name: "gitea-oauth-creds",
        namespace: "drone"
    },
    spec: {
        type: "kv-v2",
        mount: "shared-secrets",
        path: "gitea/oauth-creds",
        destination: {
            name: "gitea-oauth-creds",
            create: true
        },
        refreshAfter: "30s",
        vaultAuthRef: "static-auth"
    }
}
]