{{- if .Values.externalSecrets.enabled }}
{{- if .Values.externalSecrets.openbao.mountPath }}
# ExternalSecret — declarative replacement for Tower's imperative
# kubectl-stamp of `gitea-archive-pull` (server_adapters.go was the
# previous owner; removed in tower:0.76.20). The K8s Secret produced
# in odoosky-system has the same name + key shape (`token`) the
# addon-build init container expects, so consumer code is unchanged.
#
# refreshInterval=0 → ESO does NOT poll OpenBao on a schedule. Token
# rotation is operator-driven: `bao kv put v3/platform/gitea-archive-pull
# token=NEW_VALUE`, then bump an annotation on this CR to force a
# resync (`kubectl annotate externalsecret gitea-archive-pull -n
# odoosky-system rotate=$(date +%s) --overwrite`). Saves audit-log
# noise for a token that rotates quarterly at most.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: gitea-archive-pull
  namespace: odoosky-system
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
spec:
  refreshInterval: "0"
  secretStoreRef:
    name: openbao-platform
    kind: ClusterSecretStore
  target:
    name: gitea-archive-pull
    creationPolicy: Owner
    deletionPolicy: Retain
  data:
    - secretKey: token
      remoteRef:
        key: platform/gitea-archive-pull
        property: token
        # CRD defaults stamped explicitly so ArgoCD's diff matches the
        # live spec (otherwise the app sits in OutOfSync forever even
        # though ESO is happily reconciling).
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
{{- end }}
{{- end }}