---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: openwebui-secret
  namespace: openwebui
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: openwebui
  namespace: openwebui
spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: openwebui
    serviceAccount: openwebui-secret
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: openwebui-authentik
  namespace: openwebui
spec:
  type: kv-v2

  mount: secret
  path: authentik/openwebui

  destination:
    create: true
    name: openwebui-authentik
    type: Opaque
    transformation:
      excludeRaw: true
      templates:
        client_id:
          text: '{{ get .Secrets "client_id" }}'
        client_secret:
          text: '{{ get .Secrets "client_secret" }}'

  vaultAuthRef: openwebui