apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault
spec:
  provider:
    vault:
      server: http://vault.vault:8200
      path: secret
      auth:
        tokenSecretRef:
          name: vault-token
          namespace: vault
          key: token
        # TODO switch to kubernetes auth
        # kubernetes:
        #   mountPath: "kubernetes"
        #   role: "demo"
        #   serviceAccountRef:
        #     name: "my-sa"
        #     namespace: "secret-admin"
        #   secretRef:
        #     name: "my-secret"
        #     namespace: "secret-admin"
        #     key: "vault"
---
# TODO switch to kubernetes auth
# and turn off vault dev mode
apiVersion: v1
kind: Secret
metadata:
  name: vault-token
  namespace: vault
data:
  token: cm9vdA==  # root
---