apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: all-secrets
spec:
  refreshInterval: 1h           # rate ESO pulls Azure Key Vault
  secretStoreRef:
    kind: SecretStore
    name: azure-store           # name of the SecretStore (or kind specified)
  target:
    name: all-secrets           # name of the k8s Secret to be created
    creationPolicy: Owner
  dataFrom:
  # find all secrets starting with dev-
  - find:
      name:
        regexp: "^dev"
  # find all secrets with tags
  - find:
      tags:
        environment: dev

  # extract data from a json value
  - extract:
      key: database-credentials

  # fetch tags from `database-credentials`
  # and store them as individual keys in a secret
  - extract:
      key: database-credentials
      metadataPolicy: Fetch