observability/prometheus/manifests/secret.yaml

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: postgresql-password
  namespace: prometheus
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: postgresql-password
    creationPolicy: Owner
  data:
    - secretKey: password
      remoteRef:
        key: postgresql
        property: PASSWORD
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: thanos-objstore-secret
  namespace: prometheus
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: thanos-objstore-secret
    template:
      engineVersion: v2
      data:
        objstore.yml: |
          type: S3
          config:
            bucket: thanos
            endpoint: minio.minio.svc.cluster.local:9000
            access_key: {{ .access_key }}
            secret_key: {{ .secret_key }}
            insecure: true
  data:
    - secretKey: access_key
      remoteRef:
        key: secret/minio
        property: root-user
    - secretKey: secret_key
      remoteRef:
        key: secret/minio
        property: root-password