apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: headlamp-oidc
  namespace: headlamp
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: headlamp-oidc
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        clientID: headlamp
        clientSecret: "{{ .clientSecret }}"
        issuerURL: https://auth0213.kro.kr
        scopes: "openid profile email groups"
  data:
    - secretKey: clientSecret
      remoteRef:
        key: cluster-infrastructure/authelia
        property: HEADLAMP_CLIENT_SECRET