apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: gitea-runner-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-runner-secret
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: token
      remoteRef:
        key: /cl01tl/gitea/runner
        property: token

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: gitea-meilisearch-key
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-meilisearch-key
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        ISSUE_INDEXER_CONN_STR: "http://:{{ `{{ .MEILI_MASTER_KEY }}` }}@gitea-meilisearch.gitea:7700/"
  data:
    - secretKey: MEILI_MASTER_KEY
      remoteRef:
        key: /cl01tl/gitea/meilisearch
        property: master-key

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: gitea-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-oidc-authentik
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: secret
      remoteRef:
        key: /cl01tl/authentik/oidc/gitea
        property: secret
    - secretKey: key
      remoteRef:
        key: /cl01tl/authentik/oidc/gitea
        property: client