infrastructure/clusters/cl01tl/helm/openbao/templates/external-secret.yaml

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-snapshot-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-snapshot-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_REGION
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_SECRET_KEY
    - secretKey: BUCKET
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: BUCKET

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-unseal-config-1
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-unseal-config-1
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: ENVIRONMENT
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: NODES
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: TOKENS_1
    - secretKey: NOTIFY_QUEUE_URLS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: NOTIFY_QUEUE_URLS

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-unseal-config-2
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-unseal-config-2
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: ENVIRONMENT
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: NODES
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: TOKENS_2
    - secretKey: NOTIFY_QUEUE_URLS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: NOTIFY_QUEUE_URLS

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: openbao-unseal-config-3
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao-unseal-config-3
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: ENVIRONMENT
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: NODES
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: TOKENS_3
    - secretKey: NOTIFY_QUEUE_URLS
      remoteRef:
        key: /cl01tl/openbao/unseal
        property: NOTIFY_QUEUE_URLS

# ---
# apiVersion: external-secrets.io/v1
# kind: ExternalSecret
# metadata:
#   name: openbao-token
#   namespace: {{ .Release.Namespace }}
#   labels:
#     app.kubernetes.io/name: openbao-token
#     app.kubernetes.io/instance: {{ .Release.Name }}
#     app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
#   secretStoreRef:
#     kind: ClusterSecretStore
#     name: openbao
#   data:
#     - secretKey: token
#       remoteRef:
#         key: /cl01tl/openbao/token
#         property: token
#     - secretKey: unseal_key_1
#       remoteRef:
#         key: /cl01tl/openbao/token
#         property: unseal_key_1
#     - secretKey: unseal_key_2
#       remoteRef:
#         key: /cl01tl/openbao/token
#         property: unseal_key_2
#     - secretKey: unseal_key_3
#       remoteRef:
#         key: /cl01tl/openbao/token
#         property: unseal_key_3
#     - secretKey: unseal_key_4
#       remoteRef:
#         key: /cl01tl/openbao/token
#         property: unseal_key_4
#     - secretKey: unseal_key_5
#       remoteRef:
#         key: /cl01tl/openbao/token
#         property: unseal_key_5