apiVersion: v1
kind: ServiceAccount
metadata:
  name: eso-store-sa
  namespace: synapse
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: synapse
  name: eso-store-role
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - authorization.k8s.io
  resources:
  - selfsubjectrulesreviews
  verbs:
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: eso-store-rolebinding
  namespace: synapse
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: eso-store-role
subjects:
- kind: ServiceAccount
  name: eso-store-sa
  namespace: synapse
---
apiVersion: v1
kind: Secret
metadata:
  name: secret-store-token
  namespace: synapse
  annotations:
    kubernetes.io/service-account.name: eso-store-sa
type: kubernetes.io/service-account-token
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: k8s-store
  namespace: synapse
spec:
  provider:
    kubernetes:
      auth:
        token:
          bearerToken:
            name: secret-store-token
            key: token
      remoteNamespace: synapse
      server:
        caProvider:
          type: Secret
          name: secret-store-token
          key: ca.crt