apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: airbyte-minio-external-secret
  namespace: {{ .Env.AIRBYTE_NAMESPACE }}
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-secret-store
    kind: ClusterSecretStore
  target:
    # Target: airbyte-airbyte-secrets is managed by Helm's pre-install hook
    # We use creationPolicy: Merge to add MinIO credentials to the existing secret
    # Note: This may need re-sync after Helm reinstalls due to timing issues
    name: airbyte-airbyte-secrets
    creationPolicy: Merge
    template:
      type: Opaque
      data:
        access_key: "{{ `{{ .access_key }}` }}"
        secret_key: "{{ `{{ .secret_key }}` }}"
  data:
    - secretKey: access_key
      remoteRef:
        key: airbyte/minio
        property: access_key
    - secretKey: secret_key
      remoteRef:
        key: airbyte/minio
        property: secret_key
    - secretKey: bucket
      remoteRef:
        key: airbyte/minio
        property: bucket
    - secretKey: endpoint
      remoteRef:
        key: airbyte/minio
        property: endpoint