jellyfin: read LDAP config from vault

services/jellyfin/deployment.yaml

@@ -20,7 +20,16 @@ spec:
     metadata:
       labels:
         app: jellyfin
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "pegasus"
+        vault.hashicorp.com/agent-inject-secret-ldap-config.xml: "kv/data/atlas/pegasus/jellyfin-ldap-config"
+        vault.hashicorp.com/agent-inject-template-ldap-config.xml: |
+          {{ with secret "kv/data/atlas/pegasus/jellyfin-ldap-config" }}
+          {{ index .Data.data "ldap-config.xml" }}
+          {{ end }}
     spec:
+      serviceAccountName: pegasus-vault-sync
       # Clean up any lingering OIDC artifacts and strip the injected script tag
       initContainers:
         - name: strip-oidc
@@ -90,6 +99,10 @@ spec:
         - name: jellyfin
           image: docker.io/jellyfin/jellyfin:10.11.5
           imagePullPolicy: IfNotPresent
+          command:
+            - /entrypoint.sh
+          args:
+            - /jellyfin/jellyfin
           ports:
             - name: http
               containerPort: 8096
@@ -104,6 +117,8 @@ spec:
               value: "65532"
             - name: UMASK
               value: "002"
+            - name: VAULT_COPY_FILES
+              value: /vault/secrets/ldap-config.xml:/config/plugins/configurations/LDAP-Auth.xml
           resources:
             limits:
               nvidia.com/gpu.shared: 1
@@ -114,12 +129,11 @@ spec:
               cpu: "500m"
               memory: 1Gi
           volumeMounts:
+            - name: jellyfin-vault-entrypoint
+              mountPath: /entrypoint.sh
+              subPath: vault-entrypoint.sh
             - name: config
               mountPath: /config
-            # Override LDAP plugin configuration from a secret to avoid embedding credentials in the PVC.
-            - name: ldap-config
-              mountPath: /config/plugins/configurations/LDAP-Auth.xml
-              subPath: ldap-config.xml
             - name: cache
               mountPath: /cache
             - name: media
@@ -143,6 +157,10 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: false
       volumes:
+        - name: jellyfin-vault-entrypoint
+          configMap:
+            name: jellyfin-vault-entrypoint
+            defaultMode: 493
         - name: web-root
           emptyDir: {}
         - name: config
@@ -154,9 +172,3 @@ spec:
         - name: media
           persistentVolumeClaim:
             claimName: jellyfin-media-asteria-new
-        - name: ldap-config
-          secret:
-            secretName: jellyfin-ldap-config
-            items:
-              - key: ldap-config.xml
-                path: ldap-config.xml

services/jellyfin/kustomization.yaml

@@ -7,3 +7,9 @@ resources:
   - service.yaml
   - deployment.yaml
   - ingress.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+  - name: jellyfin-vault-entrypoint
+    files:
+      - vault-entrypoint.sh=scripts/vault-entrypoint.sh

services/jellyfin/scripts/vault-entrypoint.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+set -eu
+
+if [ -n "${VAULT_ENV_FILE:-}" ]; then
+  if [ -f "${VAULT_ENV_FILE}" ]; then
+    # shellcheck disable=SC1090
+    . "${VAULT_ENV_FILE}"
+  else
+    echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2
+    exit 1
+  fi
+fi
+
+if [ -n "${VAULT_COPY_FILES:-}" ]; then
+  old_ifs="$IFS"
+  IFS=','
+  for pair in ${VAULT_COPY_FILES}; do
+    src="${pair%%:*}"
+    dest="${pair#*:}"
+    if [ -z "${src}" ] || [ -z "${dest}" ]; then
+      echo "Vault copy entry malformed: ${pair}" >&2
+      exit 1
+    fi
+    if [ ! -f "${src}" ]; then
+      echo "Vault file not found: ${src}" >&2
+      exit 1
+    fi
+    mkdir -p "$(dirname "${dest}")"
+    cp "${src}" "${dest}"
+  done
+  IFS="$old_ifs"
+fi
+
+exec "$@"