{% raw %}
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: my-secrets
  namespace: default
spec:
  target:
    name: my-secrets
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        username: |-
          {{ .username }}
        password: |-
          {{ .password }}
        postgres-password: |-
          {{ .postgres_password }}
        postgres-replication-password: |-
          {{ .postgres_replication_password }}
        db_url: |-
          postgresql://{{ .username }}:{{ .password }}@my-postgresql:5432/mydb
        service_account_key: |-
          {{ .service_account_key }}
        ssh_pub_key: |-
          {{ .ssh_pub_key }}
  data:
    - secretKey: username
      sourceRef:
        storeRef:
          name: bitwarden-login
          kind: ClusterSecretStore  # or SecretStore
      remoteRef:
        key: aaaabbbb-cccc-dddd-eeee-000011112222
        property: username
    - secretKey: password
      sourceRef:
        storeRef:
          name: bitwarden-login
          kind: ClusterSecretStore  # or SecretStore
      remoteRef:
        key: aaaabbbb-cccc-dddd-eeee-000011112222
        property: password
    - secretKey: postgres_password
      sourceRef:
        storeRef:
          name: bitwarden-fields
          kind: ClusterSecretStore  # or SecretStore
      remoteRef:
        key: aaaabbbb-cccc-dddd-eeee-000011112222
        property: admin-password
    - secretKey: postgres_replication_password
      sourceRef:
        storeRef:
          name: bitwarden-fields
          kind: ClusterSecretStore  # or SecretStore
      remoteRef:
        key: aaaabbbb-cccc-dddd-eeee-000011112222
        property: postgres-replication-password
    - secretKey: service_account_key
      sourceRef:
        storeRef:
          name: bitwarden-notes
          kind: ClusterSecretStore  # or SecretStore
      remoteRef:
        key: service_account_key
    - secretKey: ssh_pub_key
      sourceRef:
        storeRef:
          name: bitwarden-attachments
          kind: ClusterSecretStore  # or SecretStore
      remoteRef:
        key: aaaabbbb-cccc-dddd-eeee-000011112222
        property: id_rsa.pub
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: my-secrets-ssh
  namespace: default
spec:
  target:
    template:
      type: kubernetes.io/ssh-auth
      data:
        ssh-privatekey: "{{ .privateKey | toString }}"
  data:
    - secretKey: privateKey
      sourceRef:
        storeRef:
          name: bitwarden-ssh
          kind: ClusterSecretStore  # or SecretStore
      remoteRef:
        key: aaaabbbb-cccc-dddd-eeee-000011112222
        property: privateKey
{% endraw %}