---
# ExternalSecret: pull agent AppRole credentials from OpenBao into k8s Secrets
# One ExternalSecret per role. Template shown for pm; others follow same pattern.
# Deploy via: kubectl apply -f externalsecrets/ (generated per-role)
#
# Prerequisites:
#   - external-secrets operator installed
#   - ClusterSecretStore "openbao" configured pointing to OpenBao in-cluster
#
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: openbao
spec:
  provider:
    vault:
      server: "http://openbao.openbao.svc.cluster.local:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "external-secrets"
          serviceAccountRef:
            name: "external-secrets"
            namespace: "external-secrets"