apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: vault-grafana-oauth
spec:
  secretStoreRef:
    name: vault-kube-prometheus
    kind: SecretStore
  target:
    name: grafana-oauth
  data:
  - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
    remoteRef:
      key: secrets/kube-prometheus/grafana/oauth
      property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
  - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
    remoteRef:
      key: secrets/kube-prometheus/grafana/oauth
      property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET     
         
---

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: vault-admin-credentials
spec:
  secretStoreRef:
    name: vault-kube-prometheus
    kind: SecretStore
  target:
    name: grafana-admin-credentials
  data:
  - secretKey: admin-password
    remoteRef:
      key: secrets/kube-prometheus/grafana/admin
      property: admin-password
  - secretKey:  admin-user 
    remoteRef:
      key: secrets/kube-prometheus/grafana/admin
      property:  admin-user     

---

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-kube-prometheus
spec:
  provider:
    vault:
      server: "http://vault.vault.svc.cluster.local:8200"
      path: "secrets"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "external-secrets"