apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-snapshot-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-snapshot-secret
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_REGION
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_SECRET_KEY
    - secretKey: BUCKET
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: BUCKET

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-unseal-config-1
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-unseal-config-1
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: tokens-1

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-unseal-config-2
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-unseal-config-2
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: tokens-2

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-unseal-config-3
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-unseal-config-3
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: tokens-3

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-ntfy-unseal-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-ntfy-unseal-config
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        NOTIFY_QUEUE_URLS: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed"
  data:
    - secretKey: endpoint
      remoteRef:
        key: /cl01tl/ntfy/users/cl01tl
        property: internal-endpoint-credential
    - secretKey: topic
      remoteRef:
        key: /cl01tl/ntfy/topics
        property: openbao