Add new cluster secret for PGO.

kubernetes/apps/security/external-secrets/cluster-secrets/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./pgo-s3-creds.yaml

kubernetes/apps/security/external-secrets/cluster-secrets/pgo-s3-creds.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+  name: pgo-s3-creds
+spec:
+  externalSecretName: pgo-s3-creds
+
+  namespaceSelector:
+    matchLabels:
+      pgo-enabled-hsn.dev: "true"
+
+  refreshTime: "1m"
+
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: onepassword-connect
+
+    target:
+      name: pgo-s3-creds
+      creationPolicy: Owner
+      template:
+        engineVersion: v2
+        data:
+          s3.conf: |
+            [global]
+            repo1-s3-key={{ .minio_crunchy_postgres_access_key }}
+            repo1-s3-key-secret={{ .minio_crunchy_postgres_secret_key }}
+
+    dataFrom:
+      - extract:
+          key: minio
+        rewrite:
+          - regexp:
+              source: "[-]"
+              target: "_"
+          - regexp:
+              source: "(.*)"
+              target: "minio_$1"

kubernetes/apps/security/namespace.yaml

@@ -5,4 +5,4 @@ metadata:
   name: security
   labels:
     kustomize.toolkit.fluxcd.io/prune: disabled
-    goldilocks.fairwinds.com/enabled: "true"
+    pgo-enabled-hsn.dev: "true"