apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-datato-chained
  namespace: default
spec:
  refreshInterval: 10s
  secretStoreRefs:
    - name: secret-store
      kind: SecretStore
  selector:
    secret:
      name: source-secret
  # Apply multiple transformations sequentially
  dataTo:
    - storeRef:
        name: secret-store
      match:
        regexp: "^db-.*"
      rewrite:
        # First: Remove "db-" prefix
        - regexp:
            source: "^db-"
            target: ""
        # Second: Add "prod/" prefix
        - regexp:
            source: "^"
            target: "prod/"
      # db-host -> host -> prod/host
      # db-port -> port -> prod/port