agentic-os/platform/security/external-secrets/cluster-secret-store-vault.yaml

# Alternative: HashiCorp Vault KV v2. Enable one ClusterSecretStore in your environment.
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-kv2
spec:
  provider:
    vault:
      server: "https://vault.platform-security.svc:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "external-secrets"
          serviceAccountRef:
            name: external-secrets
            namespace: platform-security