---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kaneo-secret
  namespace: kaneo
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: kaneo
  namespace: kaneo
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: kaneo
    serviceAccount: kaneo-secret
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: kaneo-authentik
  namespace: kaneo
spec:
  type: kv-v2

  mount: secret
  path: authentik/kaneo

  destination:
    create: true
    name: kaneo-authentik
    type: Opaque
    transformation:
      excludeRaw: true
      templates:
        client_id:
          text: '{{ get .Secrets "client_id" }}'
        client_secret:
          text: '{{ get .Secrets "client_secret" }}'

  vaultAuthRef: kaneo