# postgres-password-externalsecret.yaml — per-instance Postgres password
# sourced from OpenBao via ESO. Produces the `<release>-pg` Secret
# (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) consumed by
# postgres-statefulset.yaml's envFrom.
#
# Single source of truth for pg password lifecycle. The chart had a
# dual-mode shim (legacy postgres-secret.yaml gated by an empty
# passwordVaultPath) through Chunks 1-3 of the A-OpenBao migration;
# rip-out lands in 0.1.8 after all live instances + every Tower
# create path (wizard / migrate / template-deploy) generate overlays
# that carry tenant.id + postgres.passwordVaultPath.
#
# OpenBao path convention: `tenants/<tenantID>/instances/<code>/pg`
# with a `password` field. Covered by the per-cluster ESO policy
# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which grants
# read on `v3/data/tenants/<tenantID>/*`. No policy change required.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ include "instance.fullname" . }}-pg
  labels:
    {{- include "instance.labels" . | nindent 4 }}
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: {{ .Values.postgres.externalSecretsStoreRef | default "openbao-platform" }}
    kind: ClusterSecretStore
  target:
    name: {{ include "instance.fullname" . }}-pg
    creationPolicy: Owner
    # Retain — never delete the Secret on ExternalSecret deletion. The
    # postgres pod's PGDATA on disk is locked to the password hash in
    # this Secret; an accidental ESO removal must not cascade into the
    # Secret disappearing and forcing a password rotation (which would
    # then drift from pg_authid).
    deletionPolicy: Retain
    template:
      type: Opaque
      engineVersion: v2
      data:
        POSTGRES_USER: {{ .Values.postgres.user | quote }}
        POSTGRES_PASSWORD: "{{ `{{ .password }}` }}"
        POSTGRES_DB: {{ .Values.postgres.database | quote }}
  data:
    - secretKey: password
      remoteRef:
        key: tenants/{{ required "postgres.passwordVaultPath requires .Values.tenant.id (set by Tower at create time)" .Values.tenant.id }}/instances/{{ .Values.instance.code }}/pg
        property: password
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None