apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: my-app-secret
spec:
  secretStoreRef:
    name: volcengine-kms
    kind: SecretStore

  target:
    name: db-credentials # The name of the K8s Secret to be created/updated

  data:
  # Case 1: Get the entire Secret (JSON format) from the secret manager and extract a single property
  - secretKey: password
    remoteRef:
      key: "my-app/db/credentials" # The name of the secret in the secret manager
      property: "password" # The field name in the JSON

  # Case 2: Do not specify a property, get the entire Secret from the secret manager and sync all its key-value pairs
  - secretKey: password
    remoteRef:
      key: "my-app/db/credentials"