{{- if .Values.externalSecrets.enabled }}
{{- if .Values.externalSecrets.openbao.mountPath }}
# docker-mirror-pull — platform-wide registry credential. Two ExternalSecrets
# (one per namespace the chart consumes the Secret in) sourced from the same
# OpenBao path. Type kubernetes.io/dockerconfigjson rendered via ESO template
# from the registry/username/password fields stored in OpenBao.
{{- range $ns := list "odoosky-system" "tenants" }}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: docker-mirror-pull
  namespace: {{ $ns }}
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: openbao-platform
    kind: ClusterSecretStore
  target:
    name: docker-mirror-pull
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      type: kubernetes.io/dockerconfigjson
      engineVersion: v2
      data:
        .dockerconfigjson: |
          {{ `{"auths":{"{{ .registry }}":{"username":"{{ .username }}","password":"{{ .password }}","auth":"{{ printf "%s:%s" .username .password | b64enc }}"}}}` }}
  data:
    - secretKey: registry
      remoteRef:
        key: platform/docker-mirror-pull
        property: registry
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
    - secretKey: username
      remoteRef:
        key: platform/docker-mirror-pull
        property: username
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
    - secretKey: password
      remoteRef:
        key: platform/docker-mirror-pull
        property: password
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
{{- end }}
{{- end }}
{{- end }}