apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: vault-secret-store
spec:
  provider:
    vault:
      server: http://vault.{{ .Env.K8S_VAULT_NAMESPACE }}:8200
      path: secret
      version: v2
      auth:
        kubernetes:
          role: external-secrets
          mountPath: kubernetes
          serviceAccountRef:
            name: external-secrets
            namespace: {{ .Env.EXTERNAL_SECRETS_NAMESPACE }}
            # Audience must match the audience configured in Vault Kubernetes auth role
            # Required for Vault 1.21+ compatibility
            audiences:
              - vault
  refreshInterval: {{ .Env.EXTERNAL_SECRETS_REFRESH_INTERVAL }}