{{- /*
  External Secrets - 从外部 Secret Manager 同步密钥
  需要集群安装: External Secrets Operator (ESO)
  https://external-secrets.io/
*/ -}}

{{- $ns := include "gitdata.namespace" . -}}

{{- /* Database Secret */ -}}
{{- if .Values.database.existingSecret -}}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ .Values.database.existingSecret }}
  namespace: {{ $ns }}
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: {{ .Values.externalSecrets.storeName | default "vault-backend" }}
    kind: {{ .Values.externalSecrets.storeKind | default "SecretStore" }}
  target:
    name: {{ .Values.database.existingSecret }}
    creationPolicy: Owner
  data:
    - secretKey: {{ .Values.database.secretKeys.url }}
      remoteRef:
        key: {{ .Values.externalSecrets.databaseKey | default "gitdata/database" }}
        property: url
{{- end }}

{{- /* Redis Secret */ -}}
{{- if .Values.redis.existingSecret -}}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ .Values.redis.existingSecret }}
  namespace: {{ $ns }}
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: {{ .Values.externalSecrets.storeName | default "vault-backend" }}
    kind: {{ .Values.externalSecrets.storeKind | default "SecretStore" }}
  target:
    name: {{ .Values.redis.existingSecret }}
    creationPolicy: Owner
  data:
    - secretKey: {{ .Values.redis.secretKeys.url }}
      remoteRef:
        key: {{ .Values.externalSecrets.redisKey | default "gitdata/redis" }}
        property: url
{{- end }}

{{- /* Qdrant Secret */ -}}
{{- if and .Values.qdrant.enabled .Values.qdrant.existingSecret -}}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ .Values.qdrant.existingSecret }}
  namespace: {{ $ns }}
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: {{ .Values.externalSecrets.storeName | default "vault-backend" }}
    kind: {{ .Values.externalSecrets.storeKind | default "SecretStore" }}
  target:
    name: {{ .Values.qdrant.existingSecret }}
    creationPolicy: Owner
  data:
    - secretKey: {{ .Values.qdrant.secretKeys.apiKey }}
      remoteRef:
        key: {{ .Values.externalSecrets.qdrantKey | default "gitdata/qdrant" }}
        property: apiKey
{{- end }}