{{- include "enforce.singlecloudcreds" . -}}
{{- include "enforce.singleazurecreds" . -}}
{{- include "check.validateImagePullSecrets" . -}}
{{- if and (eq (include "check.awscreds" . ) "true") (not (eq (include "check.awsSecretName" . ) "true")) }}
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  namespace: {{ .Release.Namespace }}
  name: aws-creds
type: Opaque
data:
  aws_access_key_id: {{ required "secrets.awsAccessKeyId field is required!" .Values.secrets.awsAccessKeyId | b64enc | quote }}
  aws_secret_access_key: {{ required "secrets.awsSecretAccessKey field is required!" .Values.secrets.awsSecretAccessKey | b64enc | quote }}
{{- if .Values.secrets.awsIamRole }}
  role: {{ .Values.secrets.awsIamRole | trim | b64enc | quote }}
{{- end }}
{{- end }}
{{- if or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  namespace: {{ .Release.Namespace }}
  name: k10-ecr
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }}
{{- end }}
{{- if and (eq (include "check.googlecreds" .) "true") ( not (eq (include "check.googleCredsSecret" .) "true")) }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  namespace: {{ .Release.Namespace }}
  name: google-secret
type: Opaque
data:
  kasten-gke-sa.json: {{ .Values.secrets.googleApiKey }}
{{- if eq (include "check.googleproject" .) "true" }}
  kasten-gke-project: {{ .Values.secrets.googleProjectId | b64enc }}
{{- end }}
{{- end }}
{{- if eq (include "check.azurecreds" .) "true" }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  namespace: {{ .Release.Namespace }}
  name: azure-creds
type: Opaque
data:
  {{- if not (eq (include "check.azuresecret" .) "true" ) }}
  {{- if or (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureClientSecretCreds" .) "true") }}
  azure_client_id: {{ required "secrets.azureClientId field is required!" .Values.secrets.azureClientId | b64enc | quote }}
  {{- end }}
  {{- if eq (include "check.azureClientSecretCreds" .) "true" }}
  azure_tenant_id: {{ required "secrets.azureTenantId field is required!" .Values.secrets.azureTenantId | b64enc | quote }}
  azure_client_secret: {{ required "secrets.azureClientSecret field is required!" .Values.secrets.azureClientSecret | b64enc | quote }}
  {{- end }}
  {{- end }}
  azure_resource_group: {{ default "" .Values.secrets.azureResourceGroup | b64enc | quote }}
  azure_subscription_id: {{ default "" .Values.secrets.azureSubscriptionID | b64enc | quote }}
  azure_resource_manager_endpoint: {{ default "" .Values.secrets.azureResourceMgrEndpoint | b64enc | quote }}
  azure_ad_endpoint: {{ default "" .Values.secrets.azureADEndpoint | b64enc | quote }}
  azure_ad_resource_id: {{ default "" .Values.secrets.azureADResourceID | b64enc | quote }}
  azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }}
{{- end }}
{{- if and (eq (include "check.vspherecreds" .) "true") (not (eq (include "check.vsphereClientSecret" . ) "true")) }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  namespace: {{ .Release.Namespace }}
  name: vsphere-creds
type: Opaque
data:
  vsphere_endpoint: {{ required "secrets.vsphereEndpoint field is required!" .Values.secrets.vsphereEndpoint | b64enc | quote }}
  vsphere_username: {{ required "secrets.vsphereUsername field is required!" .Values.secrets.vsphereUsername | b64enc | quote }}
  vsphere_password: {{ required "secrets.vspherePassword field is required!" .Values.secrets.vspherePassword | b64enc | quote }}
{{- end }}
{{- if and (eq (include "basicauth.check" .) "true") (not .Values.auth.basicAuth.secretName) }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: k10-basic-auth
  namespace: {{ .Release.Namespace }}
data:
  auth: {{ required "auth.basicAuth.htpasswd field is required!" .Values.auth.basicAuth.htpasswd | b64enc | quote}}
type: Opaque
{{- end }}
{{- if .Values.auth.tokenAuth.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: k10-token-auth
  namespace: {{ .Release.Namespace }}
data:
  auth: {{ "true" | b64enc | quote}}
type: Opaque
{{- end }}
{{- if and .Values.auth.oidcAuth.enabled (not .Values.auth.oidcAuth.secretName) }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: k10-oidc-auth
  namespace: {{ .Release.Namespace }}
data:
  provider-url: {{ required "auth.oidcAuth.providerURL field is required!" .Values.auth.oidcAuth.providerURL | b64enc | quote }}
  redirect-url: {{ required "auth.oidcAuth.redirectURL field is required!" .Values.auth.oidcAuth.redirectURL | b64enc | quote }}
{{- if not .Values.auth.oidcAuth.clientSecretName }}
  client-id: {{ required "auth.oidcAuth.clientID field is required!" .Values.auth.oidcAuth.clientID | b64enc | quote }}
  client-secret: {{ required "auth.oidcAuth.clientSecret field is required!" .Values.auth.oidcAuth.clientSecret | b64enc | quote }}
{{- end }}
  scopes: {{ required "auth.oidcAuth.scopes field is required!" .Values.auth.oidcAuth.scopes | b64enc | quote }}
  prompt: {{ default "select_account" .Values.auth.oidcAuth.prompt | b64enc | quote }}
  usernameClaim: {{ default "sub" .Values.auth.oidcAuth.usernameClaim | b64enc | quote }}
  usernamePrefix: {{ default "" .Values.auth.oidcAuth.usernamePrefix | b64enc | quote }}
  groupClaim: {{ default "" .Values.auth.oidcAuth.groupClaim | b64enc | quote }}
  groupPrefix: {{ default "" .Values.auth.oidcAuth.groupPrefix | b64enc | quote }}
  sessionDuration: {{ default "1h" .Values.auth.oidcAuth.sessionDuration | b64enc | quote }}
{{- if .Values.auth.oidcAuth.refreshTokenSupport }}
  refreshTokenSupport: {{ "true" | b64enc | quote }}
{{- else }}
  refreshTokenSupport: {{ "false" | b64enc | quote }}
{{ end }}
stringData:
  groupAllowList: |-
{{- range $.Values.auth.groupAllowList }}
    {{ . -}}
{{ end }}
  logout-url: {{ default "" .Values.auth.oidcAuth.logoutURL | b64enc | quote }}
type: Opaque
{{- end }}
{{- if and (.Values.auth.openshift.enabled) (and (not .Values.auth.openshift.clientSecretName) (not .Values.auth.openshift.clientSecret)) }}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: {{ include "get.openshiftServiceAccountSecretName" . }}
  annotations:
    kubernetes.io/service-account.name: {{ .Values.auth.openshift.serviceAccount | quote }}
{{- end }}
{{- if and (.Values.auth.openshift.enabled) (not .Values.auth.openshift.secretName) }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: k10-oidc-auth
  namespace: {{ .Release.Namespace }}
data:
  provider-url: {{ required "auth.openshift.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.openshift.dashboardURL)) | b64enc | quote }}
  {{- if .Values.route.enabled  }}
  redirect-url: {{ required "auth.openshift.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.openshift.dashboardURL))) | b64enc | quote }}
  {{- else }}
  redirect-url: {{ required "auth.openshift.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.openshift.dashboardURL))) | b64enc | quote }}
  {{- end }}
  client-id: {{ (printf "kasten") | b64enc | quote }}
  client-secret: {{ (printf "kastensecret") | b64enc | quote }}
  scopes: {{ (printf "groups profile email") | b64enc | quote }}
  prompt: {{ (printf "select_account") | b64enc | quote }}
  usernameClaim: {{ default "email" .Values.auth.openshift.usernameClaim | b64enc | quote }}
  usernamePrefix: {{ default "" .Values.auth.openshift.usernamePrefix | b64enc | quote }}
  groupClaim: {{ default "groups" .Values.auth.openshift.groupClaim | b64enc | quote }}
  groupPrefix: {{ default "" .Values.auth.openshift.groupPrefix | b64enc | quote }}
stringData:
  groupAllowList: |-
{{- range $.Values.auth.groupAllowList }}
    {{ . -}}
{{ end }}
type: Opaque
{{- end }}
{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.secretName) }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: k10-oidc-auth
  namespace: {{ .Release.Namespace }}
data:
  provider-url: {{ required "auth.ldap.dashboardURL field is required!" (printf "%s/dex"  (trimSuffix "/" .Values.auth.ldap.dashboardURL)) | b64enc | quote }}
  {{- if .Values.route.enabled  }}
  redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }}
  {{- else }}
  redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }}
  {{- end }}
  client-id: {{ (printf "kasten") | b64enc | quote }}
  client-secret: {{ (printf "kastensecret") | b64enc | quote }}
  scopes: {{ (printf "groups profile email") | b64enc | quote }}
  prompt: {{ (printf "select_account") | b64enc | quote }}
  usernameClaim: {{ default "email" .Values.auth.ldap.usernameClaim | b64enc | quote }}
  usernamePrefix: {{ default "" .Values.auth.ldap.usernamePrefix | b64enc | quote }}
  groupClaim: {{ default "groups" .Values.auth.ldap.groupClaim | b64enc | quote }}
  groupPrefix: {{ default "" .Values.auth.ldap.groupPrefix | b64enc | quote }}
stringData:
  groupAllowList: |-
{{- range $.Values.auth.groupAllowList }}
    {{ . -}}
{{ end }}
type: Opaque
{{- end }}
{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.bindPWSecretName) }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: k10-dex
  namespace: {{ .Release.Namespace }}
data:
  bindPW: {{ required "auth.ldap.bindPW field is required!" .Values.auth.ldap.bindPW | b64enc | quote }}
type: Opaque
{{- end }}
{{- if eq (include "check.primaryKey" . ) "true" }}
---
apiVersion: v1
kind: Secret
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: k10-encryption-primary-key
  namespace: {{ .Release.Namespace }}
data:
  {{- if .Values.encryption.primaryKey.awsCmkKeyId  }}
  awscmkkeyid: {{ default "" .Values.encryption.primaryKey.awsCmkKeyId | trim | b64enc | quote }}
  {{- end }}
  {{- if .Values.encryption.primaryKey.vaultTransitKeyName  }}
  vaulttransitkeyname: {{ default "" .Values.encryption.primaryKey.vaultTransitKeyName | trim | b64enc | quote }}
  vaulttransitpath: {{ default "transit" .Values.encryption.primaryKey.vaultTransitPath | trim | b64enc | quote }}
  {{- end }}
type: Opaque
{{- end }}