apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: postgresql-app-user
  namespace: postgresql
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: postgresql-app-user
    creationPolicy: Owner
    template:
      type: kubernetes.io/basic-auth
      data:
        username: app
        password: "{{ .password }}"
  data:
    - secretKey: password
      remoteRef:
        key: postgresql
        property: PASSWORD

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: postgresql-superuser
  namespace: postgresql
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-backend
  target:
    name: postgresql-superuser
    creationPolicy: Owner
    template:
      type: kubernetes.io/basic-auth
      data:
        username: postgres
        password: "{{ .password }}"
  data:
    - secretKey: password
      remoteRef:
        key: postgresql
        property: PASSWORD