apiVersion: v1
kind: Namespace
metadata:
  name: sealed-secrets
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-secrets-manager
  namespace: sealed-secrets
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/external-secrets-role
---
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: aws-secrets-manager
  namespace: sealed-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: AWS_REGION
      auth:
        jwt:
          serviceAccountRef:
            name: aws-secrets-manager
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: sealed-secrets
  namespace: sealed-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: sealed-secrets
    creationPolicy: Owner
    template:
      type: kubernetes.io/tls
      metadata:
        labels:
          sealedsecrets.bitnami.com/sealed-secrets-key: active
  data:
  - secretKey: tls.crt
    remoteRef:
      key: sealed-secrets
      property: crt
  - secretKey: tls.key
    remoteRef:
      key: sealed-secrets
      property: key