apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: authentik-secrets
  namespace: authentik
spec:
  refreshInterval: 1m
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: authentik-secrets
    creationPolicy: Owner
  data:
    # Genereller Secret Key für Authentik
    - secretKey: AUTHENTIK_SECRET_KEY
      remoteRef:
        key: secret/apps/authentik
        property: secret_key
    
    # Email Passwort (Optional)
    - secretKey: AUTHENTIK_EMAIL__PASSWORD
      remoteRef:
        key: secret/apps/authentik
        property: email_password

    # DB & Redis Passwörter für Authentik Config (Env Vars)
    - secretKey: AUTHENTIK_POSTGRESQL__PASSWORD
      remoteRef:
        key: secret/apps/authentik
        property: postgres_password
    - secretKey: AUTHENTIK_REDIS__PASSWORD
      remoteRef:
        key: secret/apps/authentik
        property: redis_password

    # Passwörter für die Infrastruktur-Container (Postgres/Redis Pods selbst)
    # Diese Keys werden in values.yaml referenziert
    - secretKey: postgres-password
      remoteRef:
        key: secret/apps/authentik
        property: postgres_password
    - secretKey: redis-password
      remoteRef:
        key: secret/apps/authentik
        property: redis_password
    
    # Initial Admin Token (optional, zum Bootstrappen)
    - secretKey: AUTHENTIK_BOOTSTRAP_TOKEN
      remoteRef:
        key: secret/apps/authentik
        property: bootstrap_token