{{- if and .Values.externalSecrets.enabled .Values.app.enabled }} # ExternalSecret for app credentials (syncs from external secret managers) # # The data list is generated by iterating every non-empty entry in # externalSecrets.remoteRefs.app. This lets users sync arbitrary sensitive # keys (OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, ...) — not just the legacy # six (BETTER_AUTH_SECRET, ENCRYPTION_KEY, INTERNAL_API_SECRET, CRON_SECRET, # API_ENCRYPTION_KEY, REDIS_URL). Each entry's value may be either: # - a string: treated as the remoteRef.key (legacy form) # - a map: passed through as the remoteRef block (e.g. {key, property, # version, decodingStrategy, conversionStrategy, metadataPolicy}) apiVersion: external-secrets.io/{{ .Values.externalSecrets.apiVersion | default "v1beta1" }} kind: ExternalSecret metadata: name: {{ include "sim.fullname" . }}-app-secrets namespace: {{ .Release.Namespace }} labels: {{- include "sim.app.labels" . | nindent 4 }} spec: refreshInterval: {{ .Values.externalSecrets.refreshInterval | quote }} secretStoreRef: name: {{ required "externalSecrets.secretStoreRef.name is required when externalSecrets.enabled=true" .Values.externalSecrets.secretStoreRef.name }} kind: {{ .Values.externalSecrets.secretStoreRef.kind | default "ClusterSecretStore" }} target: name: {{ include "sim.fullname" . }}-app-secrets creationPolicy: Owner data: {{- range $secretKey, $ref := .Values.externalSecrets.remoteRefs.app }} {{- if $ref }} {{- if kindIs "string" $ref }} - secretKey: {{ $secretKey }} remoteRef: key: {{ $ref }} {{- else if kindIs "map" $ref }} - secretKey: {{ $secretKey }} remoteRef: {{- toYaml $ref | nindent 8 }} {{- end }} {{- end }} {{- end }} {{- end }}