apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: zot-htpasswd-secret
  namespace: zot
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: zot-htpasswd
    creationPolicy: Owner
  data:
  - secretKey: htpasswd
    remoteRef:
      key: zot
      property: HTPASSWD
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: zot-oidc-secret
  namespace: zot
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: zot-oidc-credentials
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        credentials.json: |
          {
            "clientid": "{{ .client_id }}",
            "clientsecret": "{{ .client_secret }}"
          }
  data:
  - secretKey: client_id
    remoteRef:
      key: zot
      property: OIDC_CLIENT_ID
  - secretKey: client_secret
    remoteRef:
      key: zot
      property: OIDC_CLIENT_SECRET
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: zot-session-secret
  namespace: zot
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: zot-session-keys
    creationPolicy: Owner
  data:
  - secretKey: hashKey
    remoteRef:
      key: zot
      property: SESSION_HASH_KEY
  - secretKey: blockKey
    remoteRef:
      key: zot
      property: SESSION_BLOCK_KEY