{{- if .Values.postgres.passwordVaultPath }}
# postgres-password-externalsecret.yaml — per-instance Postgres password
# sourced from OpenBao via ESO. Produces the same `<release>-pg` Secret
# shape (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) that the legacy
# postgres-secret.yaml produces, so postgres-statefulset.yaml is unchanged.
#
# Rendered only when `.Values.postgres.passwordVaultPath` is set. The
# legacy postgres-secret.yaml renders when that field is empty —
# exactly one of the two ships per instance. Tower-managed migration
# in Chunk 3 flips overlays from the legacy path to this one.
#
# OpenBao path convention: `tenants/<tenantID>/instances/<code>/pg`
# with a `password` field. Covered by the per-cluster ESO policy
# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which already grants
# read on `v3/data/tenants/<tenantID>/*`. No policy change required.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ include "instance.fullname" . }}-pg
  labels:
    {{- include "instance.labels" . | nindent 4 }}
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: {{ .Values.postgres.externalSecretsStoreRef | default "openbao-platform" }}
    kind: ClusterSecretStore
  target:
    name: {{ include "instance.fullname" . }}-pg
    creationPolicy: Owner
    # Retain — never delete the Secret on ExternalSecret deletion. The
    # postgres pod's PGDATA on disk is locked to the password hash in
    # this Secret; an accidental ESO removal must not cascade into the
    # Secret disappearing and forcing a password rotation (which would
    # then drift from pg_authid).
    deletionPolicy: Retain
    template:
      type: Opaque
      engineVersion: v2
      data:
        POSTGRES_USER: {{ .Values.postgres.user | quote }}
        POSTGRES_PASSWORD: "{{ `{{ .password }}` }}"
        POSTGRES_DB: {{ .Values.postgres.database | quote }}
  data:
    - secretKey: password
      remoteRef:
        key: tenants/{{ required "postgres.passwordVaultPath requires .Values.tenant.id (set by Tower at create time)" .Values.tenant.id }}/instances/{{ .Values.instance.code }}/pg
        property: password
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
{{- end }}