{{- if .Values.externalSecrets.enabled }}
{{- if .Values.externalSecrets.openbao.mountPath }}
# ClusterSecretStore — single store per cluster, namespace-spanning so a
# tenants-namespace ExternalSecret can also reference it (current Phase 1
# scope only writes to odoosky-system, but downstream phases will fan to
# tenants ns for s3-backup-creds).
#
# auth.kubernetes.mountPath is per-cluster (Tower passes
# `kubernetes-<cluster-name>` as a helm parameter). Each cluster
# authenticates against its own OpenBao auth mount, with the
# `eso-platform-read` policy bound to the role. ServiceAccount
# `external-secrets` is created by the ESO subchart in odoosky-system.
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: openbao-platform
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
spec:
  provider:
    vault:
      server: {{ .Values.externalSecrets.openbao.server | quote }}
      path: "v3"
      version: "v2"
      auth:
        kubernetes:
          mountPath: {{ .Values.externalSecrets.openbao.mountPath | quote }}
          role: {{ .Values.externalSecrets.openbao.role | default "eso" | quote }}
          serviceAccountRef:
            # ESO subchart names its SA `<release>-external-secrets`
            # (no fullnameOverride — see values.yaml). The OpenBao
            # role's bound_service_account_names must match this
            # exact name (e.g. `qsoft-platform-external-secrets`).
            name: "{{ .Release.Name }}-external-secrets"
            namespace: odoosky-system
{{- end }}
{{- end }}