{{- if .Values.externalSecret.enabled }}
{{- if and .Values.externalSecret.vault.server .Values.externalSecret.remoteRef.applicationKey .Values.externalSecret.remoteRef.applicationSecret .Values.externalSecret.remoteRef.consumerKey }}
---
# ExternalSecret pour cert-manager-webhook-ovh-ops
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ .Values.externalSecret.secretName | default "cert-manager-webhook-ovh" }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: cert-manager-webhook-ovh
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
  refreshInterval: {{ .Values.externalSecret.refreshInterval | default "1h" }}
  secretStoreRef:
    name: {{ .Values.externalSecret.vault.secretStoreName | default "vault-backend" }}
    kind: ClusterSecretStore
  target:
    name: {{ .Values.externalSecret.secretName | default "cert-manager-webhook-ovh" }}
    creationPolicy: Owner
  data:
    - secretKey: application-key
      remoteRef:
        key: {{ .Values.externalSecret.remoteRef.applicationKey }}
    - secretKey: application-secret
      remoteRef:
        key: {{ .Values.externalSecret.remoteRef.applicationSecret }}
    - secretKey: consumer-key
      remoteRef:
        key: {{ .Values.externalSecret.remoteRef.consumerKey }}
---
# ExternalSecret pour cert-manager-ops (partage du même secret)
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ .Values.externalSecret.secretName | default "cert-manager-webhook-ovh" }}
  namespace: {{ .Values.cert-manager-webhook-ovh.certManager.namespace | default "cert-manager-ops" }}
  labels:
    app.kubernetes.io/name: cert-manager-webhook-ovh
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
  refreshInterval: {{ .Values.externalSecret.refreshInterval | default "1h" }}
  secretStoreRef:
    name: {{ .Values.externalSecret.vault.secretStoreName | default "vault-backend" }}
    kind: ClusterSecretStore
  target:
    name: {{ .Values.externalSecret.secretName | default "cert-manager-webhook-ovh" }}
    creationPolicy: Owner
  data:
    - secretKey: application-key
      remoteRef:
        key: {{ .Values.externalSecret.remoteRef.applicationKey }}
    - secretKey: application-secret
      remoteRef:
        key: {{ .Values.externalSecret.remoteRef.applicationSecret }}
    - secretKey: consumer-key
      remoteRef:
        key: {{ .Values.externalSecret.remoteRef.consumerKey }}
{{- else }}
{{- fail "External Secrets est activé mais la configuration est incomplète. Veuillez définir externalSecret.vault.server et tous les remoteRef (applicationKey, applicationSecret, consumerKey)" }}
{{- end }}
{{- end }}