{% raw %}
apiVersion: external-secrets.io/v1
kind: ClusterExternalSecret
metadata:
  name: "hello-world"
spec:
  # The name to be used on the ExternalSecrets
  externalSecretName: "hello-world-es"

  # This is a basic label selector to select the namespaces to deploy ExternalSecrets to.
  # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
  # Deprecated: Use namespaceSelectors instead.
  # namespaceSelector:
  #   matchLabels:
  #     cool: label

  # This is a list of basic label selector to select the namespaces to deploy ExternalSecrets to.
  # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
  # The list is OR'd together, so if any of the namespaceSelectors match the namespace,
  # the ExternalSecret will be deployed to that namespace.
  namespaceSelectors:
  - matchLabels:
      cool: label

  # How often the ClusterExternalSecret should reconcile itself
  # This will decide how often to check and make sure that the ExternalSecrets exist in the matching namespaces
  refreshTime: "1m"

  # This is the spec of the ExternalSecrets to be created
  # The content of this was taken from our ExternalSecret example
  externalSecretSpec:
    secretStoreRef:
      name: secret-store-name
      kind: SecretStore

    # RefreshPolicy determines how the ExternalSecret should be refreshed:
    # - CreatedOnce: Creates the Secret only if it does not exist and does not update it afterward
    # - Periodic: (default) Synchronizes the Secret at intervals specified by refreshInterval
    # - OnChange: Only synchronizes when the ExternalSecret's metadata or specification changes
    refreshPolicy: Periodic

    refreshInterval: "1h0m0s"
    target:
      name: my-secret
      creationPolicy: 'Merge'
      template:
        type: kubernetes.io/dockerconfigjson

        metadata:
          annotations: {}
          labels: {}
        data:
          config.yml: |
            endpoints:
            - https://{{ .data.user }}:{{ .data.password }}@api.exmaple.com
        templateFrom:
        - configMap:
            name: alertmanager
            items:
            - key: alertmanager.yaml
    data:
      - secretKey: secret-key-to-be-managed
        remoteRef:
          key: provider-key
          version: provider-key-version
          property: provider-key-property
    dataFrom:
    - key: provider-key
      version: provider-key-version
      property: provider-key-property

status:
  # This will list any namespaces where the creation of the ExternalSecret failed
  # This will not list any issues with the ExternalSecrets, you will have to check the
  # ExternalSecrets to see any issues with them.
  failedNamespaces:
    - namespace: "matching-ns-1"
      # This is one of the possible messages, and likely the most common
      reason: "external secret already exists in namespace"

  # You can find all matching and successfully deployed namespaces here
  provisionedNamespaces:
    - "matching-ns-3"
    - "matching-ns-2"

  # The condition can be Ready, PartiallyReady, or NotReady
  # PartiallyReady would indicate an error in 1 or more namespaces
  # NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors
  conditions:
  - type: PartiallyReady
    status: "True"
    lastTransitionTime: "2022-01-12T12:33:02Z"
{% endraw %}