// https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator
//
// Note that this has a prerequiste that the Vault system has been configured with appropriate
// authentication first. In particular, the specification of the set of namespaces that secrets can be synced to is set
// in `bound_service_account_namespaces` in the Vault role.
local appDef = import './app-definitions.libsonnet';

appDef.helmApplication(
    name="vault-secrets-operator",
    sourceRepoUrl="https://helm.releases.hashicorp.com",
    sourceChart="vault-secrets-operator",
    sourceTargetRevision="0.5.2",
    namespace="vault-secrets-operator-system",
    helmValues={
        defaultVaultConnection: {
            enabled: true,
            address: "http://vault.vault.svc.cluster.local:8200",
            skipTLSVerify: false
        },
        controller: {
            manager: {
                clientCache: {
                    persistenceModel: "direct-encrypted",
                    storageEncryption: {
                        enabled: true,
                        mount: "demo-auth-mount",
                        keyName: "vso-client-cache",
                        transitMount: "demo-transit",
                        kubernetes: {
                            role: "auth-role-operator",
                            serviceAccount: "demo-operator"
                        }
                    }
                }
            }
        }
    }
)