move ollama api key to valut

apps/ollama/kustomization.yaml

@@ -3,5 +3,6 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - release.yaml
+  - secret.yaml
   - auth-proxy.yaml
   - ingress.yaml

apps/ollama/secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ollama-proxy
+  namespace: ollama
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ollama-proxy
+    serviceAccount: ollama-proxy
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ollama-api-key
+  namespace: ollama
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: ollama
+
+  destination:
+    create: true
+    name: ollama-api-key
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: ollama

vault/kubernetes-roles/ollama-proxy.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - ollama-proxy
+bound_service_account_namespaces:
+  - ollama
+token_policies:
+  - ollama

vault/policy/ollama.hcl

@@ -0,0 +1,3 @@
+path "secret/data/ollama" {
+    capabilities = ["read"]
+}