# Vault Kubernetes authentication configuration (E10-03).
# Binds the veylant-proxy ServiceAccount to the Vault role defined in vault-policy.hcl.
# Prerequisites: Vault Kubernetes auth method enabled.
#   vault auth enable kubernetes
#   vault write auth/kubernetes/config kubernetes_host="https://$K8S_HOST:443"
# Apply: kubectl apply -f deploy/k8s/vault/vault-auth.yaml -n veylant
---
# VaultAuth resource (requires the Vault Secrets Operator or Agent Injector).
# Using Vault Agent Injector annotations (defined in serviceaccount.yaml).
# This ConfigMap holds the Vault connection parameters for reference.
apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-config
  namespace: veylant
data:
  # Vault server address — override with VAULT_ADDR env var or Helm values.
  VAULT_ADDR: "https://vault.vault.svc.cluster.local:8200"
  # Vault namespace (Enterprise only; leave empty for open-source Vault).
  VAULT_NAMESPACE: ""
  # Kubernetes auth mount path.
  VAULT_AUTH_PATH: "auth/kubernetes"
  # Vault role bound to the veylant-proxy ServiceAccount.
  VAULT_ROLE: "veylant-proxy"

---
# ClusterRoleBinding allowing Vault to verify ServiceAccount tokens.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: vault-token-reviewer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: vault
    namespace: vault