From 5c769019eafbfb47b4562e39a73daa4cc0787c91 Mon Sep 17 00:00:00 2001
From: gitea-bot <gitea-bot@alexlebens.net>
Date: Mon, 29 Dec 2025 23:26:29 +0000
Subject: [PATCH] Automated Manifest Update (#2959)

This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2959
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
---
 .../vaultwarden/Deployment-vaultwarden.yaml   | 16 +++++++++++
 ...xternalSecret-vaultwarden-oidc-secret.yaml | 28 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-secret.yaml

diff --git a/clusters/cl01tl/manifests/vaultwarden/Deployment-vaultwarden.yaml b/clusters/cl01tl/manifests/vaultwarden/Deployment-vaultwarden.yaml
index 413fd3316..819ab61d5 100644
--- a/clusters/cl01tl/manifests/vaultwarden/Deployment-vaultwarden.yaml
+++ b/clusters/cl01tl/manifests/vaultwarden/Deployment-vaultwarden.yaml
@@ -46,6 +46,22 @@ spec:
                 secretKeyRef:
                   key: uri
                   name: vaultwarden-postgresql-18-cluster-app
+            - name: SSO_ENABLED
+              value: "true"
+            - name: SSO_SIGNUPS_MATCH_EMAIL
+              value: "true"
+            - name: SSO_AUTHORITY
+              value: https://auth.alexlebens.dev/application/o/vaultwarden/.well-known/openid-configuration
+            - name: SSO_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  key: client
+                  name: vaultwarden-oidc-secret
+            - name: SSO_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: secret
+                  name: vaultwarden-oidc-secret
           image: vaultwarden/server:1.35.0
           imagePullPolicy: IfNotPresent
           name: main
diff --git a/clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-secret.yaml b/clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-secret.yaml
new file mode 100644
index 000000000..42a89aa54
--- /dev/null
+++ b/clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-secret.yaml
@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vaultwarden-oidc-secret
+  namespace: vaultwarden
+  labels:
+    app.kubernetes.io/name: vaultwarden-oidc-secret
+    app.kubernetes.io/instance: vaultwarden
+    app.kubernetes.io/part-of: vaultwarden
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/vaultwarden
+        metadataPolicy: None
+        property: client
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/vaultwarden
+        metadataPolicy: None
+        property: secret