# Example ExternalSecret for API7 Gateway credentials
# This file is not deployed by default - it serves as an example.
#
# To use External Secrets Operator:
# 1. Install External Secrets Operator in your cluster
# 2. Configure a SecretStore (e.g., AWS Secrets Manager, Vault, etc.)
# 3. Rename this file to remove .example extension
# 4. Set api7.gateway.existingSecret to the secret name below
# 5. Adjust the backend configuration to match your SecretStore
#
# Documentation: https://external-secrets.io/

{{- if false }}  # Change to 'if .Values.api7.gateway.useExternalSecret' to enable
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ include "api7ee.fullname" . }}-api7-admin-external
  labels:
    {{- include "api7ee.labels" . | nindent 4 }}
    app.kubernetes.io/component: api7
spec:
  # Refresh interval for fetching secrets from external provider
  refreshInterval: 1h

  # Reference to SecretStore
  secretStoreRef:
    name: vault-backend  # Name of your SecretStore
    kind: SecretStore    # or ClusterSecretStore

  # Target Secret configuration
  target:
    name: {{ include "api7ee.fullname" . }}-api7-admin
    creationPolicy: Owner
    template:
      type: Opaque
      data:
        # Map external secret keys to Kubernetes secret keys
        admin-url: "{{ `{{ .adminUrl }}` }}"
        admin-key: "{{ `{{ .adminKey }}` }}"
        gateway-group: "{{ `{{ .group }}` }}"

  # Data to fetch from external provider
  data:
    - secretKey: adminUrl
      remoteRef:
        key: api7/gateway    # Path in external secret store
        property: admin_url  # Property name

    - secretKey: adminKey
      remoteRef:
        key: api7/gateway
        property: admin_key

    - secretKey: group
      remoteRef:
        key: api7/gateway
        property: gateway_group

---
# Example for AWS Secrets Manager
# apiVersion: external-secrets.io/v1beta1
# kind: SecretStore
# metadata:
#   name: aws-secretsmanager
# spec:
#   provider:
#     aws:
#       service: SecretsManager
#       region: us-east-1
#       auth:
#         jwt:
#           serviceAccountRef:
#             name: external-secrets-sa

---
# Example for HashiCorp Vault
# apiVersion: external-secrets.io/v1beta1
# kind: SecretStore
# metadata:
#   name: vault-backend
# spec:
#   provider:
#     vault:
#       server: "https://vault.example.com"
#       path: "secret"
#       version: "v2"
#       auth:
#         kubernetes:
#           mountPath: "kubernetes"
#           role: "api7-role"
#           serviceAccountRef:
#             name: {{ include "api7ee.serviceAccountName" . }}
{{- end }}