apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: wildcard-tls
  name: wildcard-tls-reader
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - authorization.k8s.io
  resources:
  - selfsubjectrulesreviews
  verbs:
  - create
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: wildcard-tls-sa
  namespace: mosquitto
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: wildcard-tls-reader-from-mosquitto
  namespace: wildcard-tls
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: wildcard-tls-reader
subjects:
- kind: ServiceAccount
  name: wildcard-tls-sa
  namespace: mosquitto
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: wildcard-tls
  namespace: mosquitto
spec:
  provider:
    kubernetes:
      # with this, the store is able to pull only from `default` namespace
      remoteNamespace: wildcard-tls
      server:
        caProvider:
          type: ConfigMap
          name: kube-root-ca.crt
          key: ca.crt
      auth:
        serviceAccount:
          name: "wildcard-tls-sa"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: wildcard-tls
  namespace: mosquitto
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: wildcard-tls
  target:
    name: wildcard-tls
  dataFrom:
  - extract:
      key: wildcard-tls