From 28e42346bc7d3109753e3dce4d7da87d5708848a Mon Sep 17 00:00:00 2001
From: Alex Lebens <alexanderlebens@gmail.com>
Date: Fri, 17 Apr 2026 19:18:37 -0500
Subject: [PATCH] feat: add openbao provider

---
 .../cl01tl/helm/external-secrets/Chart.yaml   |  2 +-
 .../templates/cluster-role-binding.yaml       | 17 +++++++++++++
 .../templates/cluster-secret-store.yaml       | 25 +++++++++++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml

diff --git a/clusters/cl01tl/helm/external-secrets/Chart.yaml b/clusters/cl01tl/helm/external-secrets/Chart.yaml
index ca719e32e..8c67ad3fc 100644
--- a/clusters/cl01tl/helm/external-secrets/Chart.yaml
+++ b/clusters/cl01tl/helm/external-secrets/Chart.yaml
@@ -18,4 +18,4 @@ dependencies:
     repository: https://charts.external-secrets.io
 icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: vv2.3.0
+appVersion: v2.3.0
diff --git a/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml b/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
new file mode 100644
index 000000000..13f08c206
--- /dev/null
+++ b/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-secrets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: {{ .Release.Namespace }}
diff --git a/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml b/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
index eb19a37b3..0403e09cc 100644
--- a/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
+++ b/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
@@ -17,3 +17,28 @@ spec:
           namespace: vault
           name: vault-token
           key: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: openbao
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: openbao
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  provider:
+    vault:
+      server: http://openbao-internal.openbao:8200
+      path: secret
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: kubernetes
+          role: external-secrets
+          serviceAccountRef:
+            name: external-secrets
+            audiences:
+              - openbao