diff --git a/clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml b/clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml new file mode 100644 index 000000000..06194ab3a --- /dev/null +++ b/clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml @@ -0,0 +1,28 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vaultwarden-oidc-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vaultwarden-oidc-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: client + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/vaultwarden + metadataPolicy: None + property: client + - secretKey: secret + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/vaultwarden + metadataPolicy: None + property: secret diff --git a/clusters/cl01tl/helm/vaultwarden/values.yaml b/clusters/cl01tl/helm/vaultwarden/values.yaml index cb806e025..c9f19d790 100644 --- a/clusters/cl01tl/helm/vaultwarden/values.yaml +++ b/clusters/cl01tl/helm/vaultwarden/values.yaml @@ -23,6 +23,22 @@ vaultwarden: secretKeyRef: name: vaultwarden-postgresql-18-cluster-app key: uri + - name: SSO_ENABLED + value: "true" + - name: SSO_SIGNUPS_MATCH_EMAIL + value: "true" + - name: SSO_AUTHORITY + value: https://auth.alexlebens.dev/application/o/vaultwarden/.well-known/openid-configuration + - name: SSO_CLIENT_ID + valueFrom: + secretKeyRef: + name: vaultwarden-oidc-secret + key: client + - name: SSO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: vaultwarden-oidc-secret + key: secret resources: requests: cpu: 10m