{{- if .Values.externalSecrets.enabled }}
{{- if .Values.externalSecrets.openbao.mountPath }}
{{- if and .Values.tenant.id .Values.tenant.slug }}
# cloudflare-api-token-<slug> — per-tenant CF token used by cert-manager's
# DNS-01 solver. Pulled from OpenBao path v3/tenants/<id>/cloudflare-token,
# field api_token, exposed as Secret key "api-token" (matches what the
# ClusterIssuer references via secretKeyRef.key in cluster-issuer.yaml).
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: cloudflare-api-token-{{ .Values.tenant.slug }}
  namespace: odoosky-system
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
    odoosky.io/tenant: {{ .Values.tenant.id | quote }}
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: openbao-platform
    kind: ClusterSecretStore
  target:
    name: cloudflare-api-token-{{ .Values.tenant.slug }}
    creationPolicy: Owner
    deletionPolicy: Retain
  data:
    - secretKey: api-token
      remoteRef:
        key: tenants/{{ .Values.tenant.id }}/cloudflare-token
        property: api_token
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
{{- end }}
{{- end }}
{{- end }}