# ExternalSecret for Veza Production Secrets
# This syncs secrets from Vault into Kubernetes Secrets

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: veza-secrets
  namespace: veza-production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-store
    kind: SecretStore
  target:
    name: veza-secrets
    creationPolicy: Owner
    template:
      type: Opaque
      data:
        database-url: "{{ .database_url }}"
        redis-url: "{{ .redis_url }}"
        jwt-secret: "{{ .jwt_secret }}"
        stripe-api-key: "{{ .stripe_api_key }}"
        stripe-webhook-secret: "{{ .stripe_webhook_secret }}"
        smtp-password: "{{ .smtp_password }}"
        s3-access-key: "{{ .s3_access_key }}"
        s3-secret-key: "{{ .s3_secret_key }}"
  data:
  - secretKey: database_url
    remoteRef:
      key: veza/production
      property: database-url
  - secretKey: redis_url
    remoteRef:
      key: veza/production
      property: redis-url
  - secretKey: jwt_secret
    remoteRef:
      key: veza/production
      property: jwt-secret
  - secretKey: stripe_api_key
    remoteRef:
      key: veza/production
      property: stripe-api-key
  - secretKey: stripe_webhook_secret
    remoteRef:
      key: veza/production
      property: stripe-webhook-secret
  - secretKey: smtp_password
    remoteRef:
      key: veza/production
      property: smtp-password
  - secretKey: s3_access_key
    remoteRef:
      key: veza/production
      property: s3-access-key
  - secretKey: s3_secret_key
    remoteRef:
      key: veza/production
      property: s3-secret-key
---
# ExternalSecret for Development
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: veza-secrets
  namespace: veza-development
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-store
    kind: SecretStore
  target:
    name: veza-secrets
    creationPolicy: Owner
    template:
      type: Opaque
      data:
        database-url: "{{ .database_url }}"
        redis-url: "{{ .redis_url }}"
        jwt-secret: "{{ .jwt_secret }}"
  data:
  - secretKey: database_url
    remoteRef:
      key: veza/development
      property: database-url
  - secretKey: redis_url
    remoteRef:
      key: veza/development
      property: redis-url
  - secretKey: jwt_secret
    remoteRef:
      key: veza/development
      property: jwt-secret
---
# ExternalSecret for Staging
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: veza-secrets
  namespace: veza-staging
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-store
    kind: SecretStore
  target:
    name: veza-secrets
    creationPolicy: Owner
    template:
      type: Opaque
      data:
        database-url: "{{ .database_url }}"
        redis-url: "{{ .redis_url }}"
        jwt-secret: "{{ .jwt_secret }}"
  data:
  - secretKey: database_url
    remoteRef:
      key: veza/staging
      property: database-url
  - secretKey: redis_url
    remoteRef:
      key: veza/staging
      property: redis-url
  - secretKey: jwt_secret
    remoteRef:
      key: veza/staging
      property: jwt-secret