apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
metadata:
  name: keycloak
  namespace: keycloak
spec:
  length: 36
  digits: 5
  symbols: 5
  symbolCharacters: "/-+"
  noUpper: false
  allowRepeat: true
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: keycloak-config
  namespace: keycloak
spec:
  refreshInterval: "0"
  target:
    name: keycloak-config
    template:
      metadata:
        labels:
          cnoe.io/cli-secret: "true"
          cnoe.io/package-name: keycloak
      engineVersion: v2
      data:
        KEYCLOAK_ADMIN_PASSWORD: "{{.KEYCLOAK_ADMIN_PASSWORD}}"
        KC_DB_USERNAME: keycloak
        KC_DB_PASSWORD: "{{.KC_DB_PASSWORD}}"
        POSTGRES_DB: keycloak
        POSTGRES_USER: keycloak
        POSTGRES_PASSWORD: "{{.KC_DB_PASSWORD}}"
        USER_PASSWORD: "{{.USER_PASSWORD}}"
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: Password
          name: keycloak
      rewrite:
        - transform:
            template: "KEYCLOAK_ADMIN_PASSWORD"
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: Password
          name: keycloak
      rewrite:
        - transform:
            template: "KC_DB_PASSWORD"
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: Password
          name: keycloak
      rewrite:
        - transform:
            template: "USER_PASSWORD"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: eso-store
  namespace: keycloak
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: keycloak
  name: eso-store
rules:
  - apiGroups: [""]
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - authorization.k8s.io
    resources:
      - selfsubjectrulesreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: eso-store
  namespace: keycloak
subjects:
  - kind: ServiceAccount
    name: eso-store
    namespace: keycloak
roleRef:
  kind: Role
  name: eso-store
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: keycloak
spec:
  provider:
    kubernetes:
      remoteNamespace: keycloak
      server:
        caProvider:
          type: ConfigMap
          name: kube-root-ca.crt
          namespace: keycloak
          key: ca.crt
      auth:
        serviceAccount:
          name: eso-store
          namespace: keycloak
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: eso-store
  namespace: gitea
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: eso-store
  namespace: gitea
rules:
  - apiGroups: [""]
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - authorization.k8s.io
    resources:
      - selfsubjectrulesreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: eso-store
  namespace: gitea
subjects:
  - kind: ServiceAccount
    name: eso-store
    namespace: gitea
roleRef:
  kind: Role
  name: eso-store
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: gitea
spec:
  provider:
    kubernetes:
      remoteNamespace: gitea
      server:
        caProvider:
          type: ConfigMap
          name: kube-root-ca.crt
          namespace: gitea
          key: ca.crt
      auth:
        serviceAccount:
          name: eso-store
          namespace: gitea