# Template ExternalSecret - Basic Configuration
#
# This template syncs secrets from Vault into a Kubernetes Secret.
# Copy this file to your `secrets-<repo-name>/` folder and customize.
#
# The secrets defined here will be synced into a Kubernetes Secret named "app-secrets"
# that your pods can mount or reference via environment variables.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
  namespace: default  # CHANGE: Your application's namespace
spec:
  # How often to sync secrets (shorter = more frequent updates)
  refreshInterval: 1h
  
  # Reference to the SecretStore (should be in the same namespace)
  # or ClusterSecretStore (available cluster-wide)
  secretStoreRef:
    name: vault-secretstore  # CHANGE: Name of your SecretStore
    kind: SecretStore        # CHANGE: Use "ClusterSecretStore" if using cluster-wide store
  
  # Target: where to create the synced Kubernetes Secret
  target:
    name: app-secrets        # CHANGE: Name of the Secret to create
    creationPolicy: Owner
    template:
      engineVersion: v2
      # Template the secret data (optional transformation)
      data:
        DATABASE_URL: "{{ .db_url }}"
        API_KEY: "{{ .api_key }}"
  
  # Source: which secrets to fetch from the backend
  data:
    - secretKey: db_url      # Name used in template and Secret
      remoteRef:
        key: my-app/database  # CHANGE: Path in Vault
        property: url         # CHANGE: Property within that Vault key
    
    - secretKey: api_key     # Name used in template and Secret
      remoteRef:
        key: my-app/api      # CHANGE: Path in Vault
        property: token      # CHANGE: Property within that Vault key