diff --git a/vaultwarden/infisical-vaultwarden-secret.yaml b/vaultwarden/infisical-vaultwarden-secret.yaml new file mode 100644 index 0000000..a816ec8 --- /dev/null +++ b/vaultwarden/infisical-vaultwarden-secret.yaml @@ -0,0 +1,26 @@ +apiVersion: secrets.infisical.com/v1beta1 +kind: InfisicalStaticSecret +metadata: + name: vaultwarden-secret + namespace: vaultwarden +spec: + # Shared, read-only machine identity (no write grant, no PushSecret). + # Source is the /vaultwarden folder: ADMIN_TOKEN (Argon2id PHC protecting the + # /admin panel — replaced the old PLACEHOLDER_CHANGE_ME), DOMAIN, SIGNUPS_ALLOWED. + # Consumed via envFrom on the vaultwarden Deployment; Infisical key names already + # match the env var names (UPPER_SNAKE), so this is straight passthrough. + infisicalAuthRef: + name: infisical-auth + namespace: infisical-operator + sources: + - projectId: 17e98e9d-70f5-43d1-8382-7da818dfcdd0 # project "homelab" + environmentSlug: prod + secretPath: /vaultwarden + syncOptions: + refreshInterval: 60s + targets: + - kind: Secret + name: vaultwarden-secret-infisical # parallel name — old secret stays live until 3c + namespace: vaultwarden + creationPolicy: Owner + # key passthrough: synced Secret carries ADMIN_TOKEN, DOMAIN, SIGNUPS_ALLOWED verbatim