apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ghost-credentials-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ghost-credentials-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ghost-password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/config/credentials
        metadataPolicy: None
        property: ghost-password

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ghost-mysql-credentials-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ghost-mysql-credentials-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: mysql-password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: ghost-user
    - secretKey: rootUser
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: rootUser
    - secretKey: rootHost
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: rootHost
    - secretKey: rootPassword
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: rootPassword

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ghost-mysql-backup-credentials-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ghost-mysql-backup-credentials-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/ghost/mysql/credentials
        metadataPolicy: None
        property: backup-config

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ghost-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ghost-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/ghost
        metadataPolicy: None
        property: token