gitops/infrastructure/external-secrets/cluster-secret-store.yaml

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "https://10.100.30.11:8200" # HTTPS!
      path: "secret"
      version: "v2"
      tls:
        insecureSkipVerify: true # WICHTIG bei Self-Signed Certs
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "external-secrets-role"
          serviceAccountRef:
            name: external-secrets
            namespace: external-secrets