{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if (not .Values.auth.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "common.names.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "common.labels.standard" . | nindent 4 }}
    {{- if .Values.commonLabels }}
    {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
    {{- end }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
  {{- end }}
type: Opaque
data:
  airflow-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "airflow-password" "providedValues" (list "auth.password") "context" $) }}
  # Airflow keys must be base64-encoded, hence we need to pipe to 'b64enc' twice
  # The auto-generation mechanism available at "common.secrets.passwords.manage" isn't compatible with encoding twice
  # Therefore, we can only use this function if the secret already exists
  {{- if or (include "common.secrets.exists" (dict "secret" (include "common.names.fullname" .) "context" $)) (not (empty .Values.auth.fernetKey)) }}
  airflow-fernet-key: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "airflow-fernet-key" "providedValues" (list "auth.fernetKey") "context" $) }}
  {{- else }}
  airflow-fernet-key: {{ randAlphaNum 32 | b64enc | b64enc | quote }}
  {{- end }}
  {{- if or (include "common.secrets.exists" (dict "secret" (include "common.names.fullname" .) "context" $)) (not (empty .Values.auth.secretKey)) }}
  airflow-secret-key: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "airflow-secret-key" "providedValues" (list "auth.secretKey") "context" $) }}
  {{- else }}
  airflow-secret-key: {{ randAlphaNum 32 | b64enc | b64enc | quote }}
  {{- end }}
{{- end }}