From 9c210bdd05dd57af77d306495c247e73d0c54f75 Mon Sep 17 00:00:00 2001
From: Alex Lebens <alexanderlebens@gmail.com>
Date: Sun, 19 Apr 2026 15:32:32 -0500
Subject: [PATCH] feat: use csi secret

---
 .../helm/slskd/templates/external-secret.yaml | 21 -------------------
 .../templates/secret-provider-class.yaml      | 18 ++++++++++++++++
 clusters/cl01tl/helm/slskd/values.yaml        | 10 ++++++---
 3 files changed, 25 insertions(+), 24 deletions(-)
 create mode 100644 clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml

diff --git a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml
index 57e717133..337663687 100644
--- a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml
@@ -1,26 +1,5 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
-metadata:
-  name: slskd-config-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: slskd-config-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: slskd.yml
-      remoteRef:
-        key: /cl01tl/slskd/config
-
-        property: slskd.yml
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
 metadata:
   name: slskd-wireguard-conf
   namespace: {{ .Release.Namespace }}
diff --git a/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml
new file mode 100644
index 000000000..ad87f8ccb
--- /dev/null
+++ b/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: slskd-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: slskd-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  provider: openbao
+  parameters:
+    roleName: reader
+    objects: |
+      - objectName: slskd-config-secret
+        fileName: slskd.yml
+        secretPath: cl01tl/slskd/config
+        secretKey: slskd.yml
diff --git a/clusters/cl01tl/helm/slskd/values.yaml b/clusters/cl01tl/helm/slskd/values.yaml
index 985a62cd5..9b846e42a 100644
--- a/clusters/cl01tl/helm/slskd/values.yaml
+++ b/clusters/cl01tl/helm/slskd/values.yaml
@@ -159,9 +159,13 @@ slskd:
                 value: /
   persistence:
     slskd-config:
-      enabled: true
-      type: secret
-      name: slskd-config-secret
+      type: custom
+      volumeSpec:
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: slskd-config-secret
       advancedMounts:
         main:
           main: