apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: tailscale-auth
  namespace: tailscale
  labels:
    app: tailscale
    managed-by: orion
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: orion-vault
    kind: ClusterSecretStore
  target:
    name: tailscale-auth
    creationPolicy: Owner
    template:
      type: Opaque
  data:
  - secretKey: TS_AUTH_KEY
    remoteRef:
      key: secret/data/tailscale
      property: TS_AUTH_KEY