apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ghost-credentials-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ghost-credentials-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ghost-password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/config/credentials
        metadataPolicy: None
        property: ghost-password

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ghost-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ghost-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/ghost
        metadataPolicy: None
        property: token

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ghost-mysql-credentials-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ghost-mysql-credentials-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: root
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: root
    - secretKey: xtrabackup
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: xtrabackup
    - secretKey: monitor
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: monitor
    - secretKey: clustercheck
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: clustercheck
    - secretKey: proxyadmin
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: proxyadmin
    - secretKey: pmmserverkey
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: pmmserverkey
    - secretKey: pmmserver
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: pmmserver
    - secretKey: operator
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: operator
    - secretKey: replication
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: replication
    - secretKey: ghost-password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: ghost-password

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ghost-mysql-backup-credentials-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ghost-mysql-backup-credentials-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-ghost-mysql
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-ghost-mysql
        metadataPolicy: None
        property: secret_key