{{- if and .Values.externalSecrets.enabled .Values.copilot.enabled .Values.copilot.server.secret.create }} # ExternalSecret for copilot server credentials (syncs from external secret managers) # # Mirrors external-secret-app.yaml: the data list is generated by iterating every # non-empty entry in externalSecrets.remoteRefs.copilot. sim.copilot.validate fails # template rendering if a required key (or any non-empty copilot.server.env key) is # missing a matching remoteRefs.copilot entry, so a misconfiguration surfaces at # `helm template` time instead of a container starting with an empty value. apiVersion: external-secrets.io/{{ .Values.externalSecrets.apiVersion | default "v1beta1" }} kind: ExternalSecret metadata: name: {{ include "sim.copilot.envSecretName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "sim.copilot.labels" . | nindent 4 }} spec: refreshInterval: {{ .Values.externalSecrets.refreshInterval | quote }} secretStoreRef: name: {{ required "externalSecrets.secretStoreRef.name is required when externalSecrets.enabled=true" .Values.externalSecrets.secretStoreRef.name }} kind: {{ .Values.externalSecrets.secretStoreRef.kind | default "ClusterSecretStore" }} target: name: {{ include "sim.copilot.envSecretName" . }} creationPolicy: Owner data: {{- range $secretKey, $ref := .Values.externalSecrets.remoteRefs.copilot }} {{- if $ref }} {{- if kindIs "string" $ref }} - secretKey: {{ $secretKey }} remoteRef: key: {{ $ref }} {{- else if kindIs "map" $ref }} - secretKey: {{ $secretKey }} remoteRef: {{- toYaml $ref | nindent 8 }} {{- end }} {{- end }} {{- end }} {{- end }}