# Example ExternalSecret for API7 Gateway credentials
# This file demonstrates how to use External Secrets Operator with API7 Gateway
#
# Documentation: https://external-secrets.io/

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: api7-gateway-credentials
  namespace: api7ee
  labels:
    app.kubernetes.io/name: api7ee-demo
    app.kubernetes.io/component: api7
spec:
  # Refresh interval for fetching secrets from external provider
  refreshInterval: 1h

  # Reference to SecretStore
  secretStoreRef:
    name: vault-backend  # Name of your SecretStore
    kind: SecretStore    # or ClusterSecretStore

  # Target Secret configuration
  target:
    name: api7-credentials
    creationPolicy: Owner
    template:
      type: Opaque
      data:
        # Map external secret keys to Kubernetes secret keys
        admin-url: "{{ .adminUrl }}"
        admin-key: "{{ .adminKey }}"
        gateway-group: "{{ .group }}"

  # Data to fetch from external provider
  data:
    - secretKey: adminUrl
      remoteRef:
        key: api7/gateway    # Path in external secret store
        property: admin_url  # Property name

    - secretKey: adminKey
      remoteRef:
        key: api7/gateway
        property: admin_key

    - secretKey: group
      remoteRef:
        key: api7/gateway
        property: gateway_group

---
# Example SecretStore for AWS Secrets Manager
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secretsmanager
  namespace: api7ee
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa

---
# Example SecretStore for HashiCorp Vault
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
  namespace: api7ee
spec:
  provider:
    vault:
      server: "https://vault.example.com"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "api7-role"
          serviceAccountRef:
            name: api7ee-demo-api7ee-demo-k8s

---
# Example SecretStore for Azure Key Vault
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-keyvault
  namespace: api7ee
spec:
  provider:
    azurekv:
      vaultUrl: "https://my-vault.vault.azure.net"
      authType: WorkloadIdentity
      serviceAccountRef:
        name: api7ee-demo-api7ee-demo-k8s

---
# Example SecretStore for GCP Secret Manager
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: gcp-secretmanager
  namespace: api7ee
spec:
  provider:
    gcpsm:
      projectID: "my-project"
      auth:
        workloadIdentity:
          clusterLocation: us-central1
          clusterName: my-cluster
          serviceAccountRef:
            name: api7ee-demo-api7ee-demo-k8s