apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: vault
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault
    {{- include "custom.labels" . | nindent 4 }}
spec:
  provider:
    vault:
      server: http://vault-internal.vault:8200
      path: secret
      auth:
        tokenSecretRef:
          namespace: vault
          name: vault-token
          key: token

---
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: openbao
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao
    {{- include "custom.labels" . | nindent 4 }}
spec:
  provider:
    vault:
      server: http://openbao-internal.openbao:8200
      path: secret
      version: v2
      auth:
        kubernetes:
          mountPath: kubernetes
          role: external-secrets
          serviceAccountRef:
            name: {{ .Release.Name }}
            namespace: {{ .Release.Namespace }}
            audiences:
              - openbao