51 lines
1.9 KiB
YAML
51 lines
1.9 KiB
YAML
# SecretProviderClass — mounts Vault secrets as files via the CSI driver (E10-03).
|
|
# Prerequisites: secrets-store-csi-driver + vault-provider installed in the cluster.
|
|
# helm install csi secrets-store-csi-driver/secrets-store-csi-driver -n kube-system
|
|
# helm install vault-csi hashicorp/vault --set "csi.enabled=true"
|
|
# Apply: kubectl apply -f deploy/k8s/vault/secret-provider.yaml -n veylant
|
|
---
|
|
apiVersion: secrets-store.csi.x-k8s.io/v1
|
|
kind: SecretProviderClass
|
|
metadata:
|
|
name: veylant-secrets
|
|
namespace: veylant
|
|
spec:
|
|
provider: vault
|
|
parameters:
|
|
# Vault server address.
|
|
vaultAddress: "https://vault.vault.svc.cluster.local:8200"
|
|
# Vault role bound to the proxy ServiceAccount.
|
|
roleName: "veylant-proxy"
|
|
# Secrets to mount as files under /mnt/secrets-store/.
|
|
objects: |
|
|
- objectName: "openai-api-key"
|
|
secretPath: "secret/data/veylant/llm-keys"
|
|
secretKey: "openai_api_key"
|
|
- objectName: "anthropic-api-key"
|
|
secretPath: "secret/data/veylant/llm-keys"
|
|
secretKey: "anthropic_api_key"
|
|
- objectName: "mistral-api-key"
|
|
secretPath: "secret/data/veylant/llm-keys"
|
|
secretKey: "mistral_api_key"
|
|
- objectName: "aes-key-base64"
|
|
secretPath: "secret/data/veylant/crypto"
|
|
secretKey: "aes_key_base64"
|
|
- objectName: "db-url"
|
|
secretPath: "secret/data/veylant/database"
|
|
secretKey: "url"
|
|
# Sync secrets to Kubernetes Secret for env-var injection.
|
|
secretObjects:
|
|
- secretName: veylant-llm-keys
|
|
type: Opaque
|
|
data:
|
|
- objectName: openai-api-key
|
|
key: VEYLANT_PROVIDERS_OPENAI_API_KEY
|
|
- objectName: anthropic-api-key
|
|
key: VEYLANT_PROVIDERS_ANTHROPIC_API_KEY
|
|
- objectName: mistral-api-key
|
|
key: VEYLANT_PROVIDERS_MISTRAL_API_KEY
|
|
- objectName: aes-key-base64
|
|
key: VEYLANT_CRYPTO_AES_KEY_BASE64
|
|
- objectName: db-url
|
|
key: VEYLANT_DATABASE_URL
|