# Template ClusterSecretStore - Vault (Cluster-Wide)
#
# Use ClusterSecretStore if you want the store to be available cluster-wide.
# This is useful for shared secrets like TLS certificates or database credentials.
#
# Note: This should typically be created and managed by the infrastructure team,
# not individual applications.

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-cluster-store
spec:
  provider:
    vault:
      server: "https://vault.example.com:8200"  # CHANGE: Your Vault server URL
      path: "secret"                              # CHANGE: Your secret path in Vault
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "cluster-app-role"              # CHANGE: Your cluster-wide Vault role