# Example secrets configuration file for the secrets-manager-integrator plugin.
# This file demonstrates how to configure connections to different secrets managers.

# Global configuration settings
global:
  # Default secrets manager to use if not specified in a specific operation.
  # Valid options: vault, aws_secrets_manager, azure_key_vault, google_secret_manager, file
  default_manager: vault

  # Enable debug logging (true/false)
  debug: false

# Configuration for connecting to HashiCorp Vault
vault:
  # Enable or disable Vault integration (true/false)
  enabled: true

  # Vault server address (e.g., https://vault.example.com:8200)
  address: "https://REPLACE_ME_VAULT_ADDRESS:8200"

  # Authentication method to use.  Valid options: token, app_role, kubernetes
  auth_method: token

  # Token-based authentication configuration
  token:
    # Vault token to use for authentication
    token: "YOUR_VAULT_TOKEN_HERE"

  # AppRole-based authentication configuration (if auth_method is app_role)
  app_role:
    role_id: "YOUR_VAULT_ROLE_ID_HERE"
    secret_id: "YOUR_VAULT_SECRET_ID_HERE"

  # Kubernetes-based authentication configuration (if auth_method is kubernetes)
  kubernetes:
    role: "YOUR_VAULT_K8S_ROLE_HERE"
    service_account_path: "/var/run/secrets/kubernetes.io/serviceaccount/token"

  # Path prefix for secrets (e.g., secret/)
  secret_path_prefix: "secret/"

# Configuration for connecting to AWS Secrets Manager
aws_secrets_manager:
  # Enable or disable AWS Secrets Manager integration (true/false)
  enabled: false

  # AWS region (e.g., us-east-1)
  region: "YOUR_AWS_REGION_HERE"

  # AWS Access Key ID (optional, if not using IAM role)
  aws_access_key_id: "REPLACE_ME_AWS_ACCESS_KEY_ID"

  # AWS Secret Access Key (optional, if not using IAM role)
  aws_secret_access_key: "REPLACE_ME_AWS_SECRET_ACCESS_KEY"

  # ARN of the IAM role to assume (optional, for enhanced security)
  role_arn: "YOUR_AWS_ROLE_ARN_HERE"

  # Prefix for secrets (e.g., /my-app/)
  secret_prefix: "/my-app/"

# Configuration for Azure Key Vault
azure_key_vault:
  # Enable or disable Azure Key Vault integration (true/false)
  enabled: false

  # Azure Key Vault URL (e.g., https://my-key-vault.vault.azure.net/)
  vault_url: "https://YOUR_KEY_VAULT_NAME.vault.azure.net/"

  # Azure Tenant ID
  tenant_id: "YOUR_AZURE_TENANT_ID_HERE"

  # Azure Client ID (Application ID)
  client_id: "YOUR_AZURE_CLIENT_ID_HERE"

  # Azure Client Secret (Application Secret)
  client_secret: "YOUR_AZURE_CLIENT_SECRET_HERE"

# Configuration for Google Cloud Secret Manager
google_secret_manager:
  # Enable or disable Google Cloud Secret Manager integration (true/false)
  enabled: false

  # Google Cloud Project ID
  project_id: "YOUR_GOOGLE_PROJECT_ID_HERE"

  # Path to the Google Cloud service account key file (JSON)
  credentials_path: "/path/to/your/google/credentials.json"

# Configuration for File-based secrets (for testing/development only!)
file:
  # Enable or disable File integration (true/false)
  enabled: false

  # Path to the secrets file (YAML or JSON)
  path: "/path/to/your/secrets.yaml"