# Kubernetes ServiceAccount for the Veylant proxy pod (E10-03).
# Vault authenticates the proxy using this SA's JWT token (Kubernetes auth method).
# Apply: kubectl apply -f deploy/k8s/vault/serviceaccount.yaml -n veylant
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: veylant-proxy
  namespace: veylant
  annotations:
    # Enable Vault Agent sidecar injection for automatic secret management.
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "veylant-proxy"
    # Inject LLM provider API keys as environment variables.
    vault.hashicorp.com/agent-inject-secret-llm-keys: "secret/data/veylant/llm-keys"
    vault.hashicorp.com/agent-inject-template-llm-keys: |
      {{- with secret "secret/data/veylant/llm-keys" -}}
      export VEYLANT_PROVIDERS_OPENAI_API_KEY="{{ .Data.data.openai_api_key }}"
      export VEYLANT_PROVIDERS_ANTHROPIC_API_KEY="{{ .Data.data.anthropic_api_key }}"
      export VEYLANT_PROVIDERS_MISTRAL_API_KEY="{{ .Data.data.mistral_api_key }}"
      export VEYLANT_CRYPTO_AES_KEY_BASE64="{{ .Data.data.aes_key_base64 }}"
      {{- end }}