apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: infisical
spec:
  provider:
    infisical:
      # Optional (default: https://app.infisical.com).
      #
      # Override this if you are using a different Infisical instance.
      hostAPI: https://app.infisical.com

      # Optional: PEM-encoded CA bundle for self-hosted instances with private CAs.
      # caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t..."

      # Optional: Reference to Secret or ConfigMap containing CA certificate.
      # Mutually exclusive with caBundle.
      # caProvider:
      #   type: Secret  # or ConfigMap
      #   name: infisical-ca
      #   key: ca.crt
      #   # namespace is required for ClusterSecretStore
      #   # namespace: external-secrets

      auth:
        universalAuthCredentials:
          clientId:
            key: clientId
            namespace: default
            name: universal-auth-credentials
          clientSecret:
            key: clientSecret
            namespace: default
            name: universal-auth-credentials
      secretsScope:
        projectSlug: first-project-fujo
        # "dev", "staging", "prod", etc.
        environmentSlug: dev
        # Optional (default: `/`).
        #
        # Secrets will only be retrieved from this path for `data` and `dataFrom` rules. When a
        # `data` `remoteRef` uses a path (e.g. `/foo/bar`), that reference will use an absolute
        # reference and disregard this default.
        #
        # If you need to prevent access to secrets outside of this path, rely on instead setting
        # Access Controls in Infisical.
        secretsPath: /
        # Optional (default: false).
        #
        # When recursive is enabled, secrets retrieved using `dataFrom` patterns will fetch all secrets recursive.
        recursive: false
        # optional
        expandSecretReferences: false # Default is true