apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault
spec:
  provider:
    vault:
      server: http://vault.vault:8200
      path: secret
      auth:
        tokenSecretRef:
          name: vault-unseal-keys
          namespace: vault
          key: vault-root
        # TODO switch to kubernetes auth
        # kubernetes:
        #   mountPath: "kubernetes"
        #   role: "demo"
        #   serviceAccountRef:
        #     name: "my-sa"
        #     namespace: "secret-admin"
        #   secretRef:
        #     name: "my-secret"
        #     namespace: "secret-admin"
        #     key: "vault"