{{- /*
  Bootstrap secrets for development only.
  In production, use an external secret manager (Vault, SealedSecrets, External Secrets).
*/ -}}
{{- $secrets := .Values.secrets | default dict -}}
{{- if and (ne $secrets.enabled false) $secrets.enabled -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "admin.fullname" . }}-secrets
  namespace: {{ include "admin.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ .Chart.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
  annotations:
    "helm.sh/resource-policy": keep
type: Opaque
stringData:
  {{- if $secrets.databaseUrl }}
  {{ .Values.admin.secretKeys.databaseUrl }}: {{ $secrets.databaseUrl | quote }}
  {{- end }}
  {{- if $secrets.redisUrl }}
  {{ .Values.admin.secretKeys.redisUrl }}: {{ $secrets.redisUrl | quote }}
  {{- end }}
  {{- if $secrets.nextAuthSecret }}
  {{ .Values.admin.secretKeys.nextAuthSecret }}: {{ $secrets.nextAuthSecret | quote }}
  {{- end }}
  {{- range $key, $value := $secrets.extra | default dict }}
  {{ $key }}: {{ $value | quote }}
  {{- end }}
{{- end }}