{{- if .Values.externalSecrets.enabled }}
{{- if .Values.externalSecrets.openbao.mountPath }}
{{- if and .Values.tenant.id .Values.tenant.s3Endpoint }}
# longhorn-s3-creds — per-tenant credentials for Longhorn's async S3 backup
# target. Same access_key/secret_key as s3-backup-creds (sourced from
# tenants/<id>/s3-credentials in OpenBao) but lives in odoosky-system
# (Longhorn's namespace) and includes AWS_ENDPOINTS for S3-compatible
# providers. AWS_ENDPOINTS comes from a chart helm value (tenant settings,
# not Vault) since it's a static config tied to the tenant's S3 provider
# choice rather than rotated credential material. Gated on s3Endpoint
# being set — empty endpoint = no Longhorn S3 backup configured.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: longhorn-s3-creds
  namespace: odoosky-system
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
    odoosky.io/tenant: {{ .Values.tenant.id | quote }}
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: openbao-platform
    kind: ClusterSecretStore
  target:
    name: longhorn-s3-creds
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      type: Opaque
      engineVersion: v2
      data:
        AWS_ACCESS_KEY_ID: "{{ `{{ .access_key }}` }}"
        AWS_SECRET_ACCESS_KEY: "{{ `{{ .secret_key }}` }}"
        AWS_ENDPOINTS: {{ .Values.tenant.s3Endpoint | quote }}
  data:
    - secretKey: access_key
      remoteRef:
        key: tenants/{{ .Values.tenant.id }}/s3-credentials
        property: access_key
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
    - secretKey: secret_key
      remoteRef:
        key: tenants/{{ .Values.tenant.id }}/s3-credentials
        property: secret_key
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
{{- end }}
{{- end }}
{{- end }}