apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: authelia-secrets
  namespace: authelia
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: authelia-secrets
    creationPolicy: Owner
  data:
    # Storage password (PostgreSQL)
    - secretKey: STORAGE_PASSWORD
      remoteRef:
        key: databases/postgresql
        property: PASSWORD
    # Session secret
    - secretKey: SESSION_SECRET
      remoteRef:
        key: cluster-infrastructure/authelia
        property: SESSION_SECRET
    # Storage encryption key
    - secretKey: STORAGE_ENCRYPTION_KEY
      remoteRef:
        key: cluster-infrastructure/authelia
        property: STORAGE_ENCRYPTION_KEY
    # OIDC HMAC secret
    - secretKey: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
      remoteRef:
        key: cluster-infrastructure/authelia
        property: OIDC_HMAC_SECRET
    # OIDC JWKS private key (base64 encoded)
    - secretKey: IDENTITY_PROVIDERS_OIDC_JWKS_KEY
      remoteRef:
        key: cluster-infrastructure/authelia
        property: OIDC_JWKS_PRIVATE_KEY
    # JWT HMAC key for identity validation (password reset)
    - secretKey: identity_validation.reset_password.jwt.hmac.key
      remoteRef:
        key: cluster-infrastructure/authelia
        property: JWT_HMAC_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: authelia-oidc-clients
  namespace: authelia
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: authelia-oidc-clients
    creationPolicy: Owner
  data:
    - secretKey: MINIO_CLIENT_SECRET
      remoteRef:
        key: databases/minio
        property: OIDC_CLIENT_SECRET