apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: vault
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  provider:
    vault:
      server: http://vault-internal.vault:8200
      path: secret
      auth:
        tokenSecretRef:
          namespace: vault
          name: vault-token
          key: token

---
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: openbao
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  provider:
    vault:
      server: http://openbao-internal.openbao:8200
      path: secret
      version: v2
      auth:
        kubernetes:
          mountPath: kubernetes
          role: external-secrets
          serviceAccountRef:
            name: external-secrets
            audiences:
              - openbao