apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: karakeep-key
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: karakeep-key
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/karakeep/key
        property: key

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: karakeep-metric-token
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: karakeep-key-secret
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: prometheus-token
      remoteRef:
        key: /cl01tl/karakeep/metrics
        property: token

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: karakeep-meilisearch-key
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: karakeep-meilisearch-key
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: MEILI_MASTER_KEY
      remoteRef:
        key: /cl01tl/karakeep/meilisearch
        property: master-key

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: karakeep-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: karakeep-oidc-authentik
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: AUTHENTIK_CLIENT_ID
      remoteRef:
        key: /cl01tl/authentik/oidc/karakeep
        property: client
    - secretKey: AUTHENTIK_CLIENT_SECRET
      remoteRef:
        key: /cl01tl/authentik/oidc/karakeep
        property: secret

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: karakeep-bucket-garage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: karakeep-bucket-garage
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        key: /garage/home-infra/karakeep-assets
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        key: /garage/home-infra/karakeep-assets
        property: ACCESS_SECRET_KEY
    - secretKey: ACCESS_REGION
      remoteRef:
        key: /garage/home-infra/karakeep-assets
        property: ACCESS_REGION
    - secretKey: BUCKET
      remoteRef:
        key: /garage/home-infra/karakeep-assets
        property: BUCKET
    - secretKey: ENDPOINT
      remoteRef:
        key: /garage/config
        property: ENDPOINT_LOCAL