apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: ext-authentik-backend
  namespace: authentik
spec:
  provider:
    vault:
      server: "http://vault.vault:8200"
      path: "kv"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "kube-role"
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: ext-authentik
  namespace: authentik
spec:
  secretStoreRef:
    name: ext-authentik-backend
    kind: SecretStore
  target:
    name: authentik-secret
  data:
    - secretKey: AUTHENTIK_SECRET_KEY
      remoteRef:
        key: authentik/authentik
        property: secret_key
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: ext-authentik-psql
  namespace: authentik
spec:
  secretStoreRef:
    name: ext-authentik-backend
    kind: SecretStore
  target:
    name: postgres-secret
  data:
    - secretKey: password
      remoteRef:
        key: authentik/postgres
        property: root_password