# SecretProviderClass — mounts Vault secrets as files via the CSI driver (E10-03).
# Prerequisites: secrets-store-csi-driver + vault-provider installed in the cluster.
#   helm install csi secrets-store-csi-driver/secrets-store-csi-driver -n kube-system
#   helm install vault-csi hashicorp/vault --set "csi.enabled=true"
# Apply: kubectl apply -f deploy/k8s/vault/secret-provider.yaml -n veylant
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: veylant-secrets
  namespace: veylant
spec:
  provider: vault
  parameters:
    # Vault server address.
    vaultAddress: "https://vault.vault.svc.cluster.local:8200"
    # Vault role bound to the proxy ServiceAccount.
    roleName: "veylant-proxy"
    # Secrets to mount as files under /mnt/secrets-store/.
    objects: |
      - objectName: "openai-api-key"
        secretPath: "secret/data/veylant/llm-keys"
        secretKey: "openai_api_key"
      - objectName: "anthropic-api-key"
        secretPath: "secret/data/veylant/llm-keys"
        secretKey: "anthropic_api_key"
      - objectName: "mistral-api-key"
        secretPath: "secret/data/veylant/llm-keys"
        secretKey: "mistral_api_key"
      - objectName: "aes-key-base64"
        secretPath: "secret/data/veylant/crypto"
        secretKey: "aes_key_base64"
      - objectName: "db-url"
        secretPath: "secret/data/veylant/database"
        secretKey: "url"
  # Sync secrets to Kubernetes Secret for env-var injection.
  secretObjects:
    - secretName: veylant-llm-keys
      type: Opaque
      data:
        - objectName: openai-api-key
          key: VEYLANT_PROVIDERS_OPENAI_API_KEY
        - objectName: anthropic-api-key
          key: VEYLANT_PROVIDERS_ANTHROPIC_API_KEY
        - objectName: mistral-api-key
          key: VEYLANT_PROVIDERS_MISTRAL_API_KEY
        - objectName: aes-key-base64
          key: VEYLANT_CRYPTO_AES_KEY_BASE64
        - objectName: db-url
          key: VEYLANT_DATABASE_URL