theshire/kubernetes/apps/observability/thanos/app/pushsecret.yaml

---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: thanos
spec:
  refreshInterval: 1h
  secretStoreRefs:
    - name: onepassword-connect
      kind: ClusterSecretStore
  selector:
    secret:
      name: thanos-bucket
  data:
    - match:
        secretKey: &key AWS_ACCESS_KEY_ID
        remoteRef:
          remoteKey: thanos
          property: *key
    - match:
        secretKey: &key AWS_SECRET_ACCESS_KEY
        remoteRef:
          remoteKey: thanos
          property: *key