apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-keyvault
  namespace: the-order
spec:
  provider:
    azurekv:
      tenantId: "${AZURE_TENANT_ID}"  # Set via environment variable
      vaultUrl: "${AZURE_KEY_VAULT_URI}"  # Set via environment variable
      authType: WorkloadIdentity
      serviceAccountRef:
        name: external-secrets-sa
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: azure-secrets
  namespace: the-order
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: azure-keyvault
    kind: SecretStore
  target:
    name: the-order-secrets
    creationPolicy: Owner
  data:
    # Database
    - secretKey: database-url
      remoteRef:
        key: database-url
    # Azure Storage
    - secretKey: storage-account
      remoteRef:
        key: storage-account
    - secretKey: storage-key
      remoteRef:
        key: storage-key
    # Entra VerifiedID
    - secretKey: entra-tenant-id
      remoteRef:
        key: entra-tenant-id
    - secretKey: entra-client-id
      remoteRef:
        key: entra-client-id
    - secretKey: entra-client-secret
      remoteRef:
        key: entra-client-secret
    # Payment Gateway
    - secretKey: payment-gateway-api-key
      remoteRef:
        key: payment-gateway-api-key
    # Grafana
    - secretKey: grafana-admin-password
      remoteRef:
        key: grafana-admin-password