UpstreamAuthority "vault" {
  plugin_data {
    vault_addr = {{ quote .Values.mtls.upstreamAuthority.vault.vaultAddr }}
    namespace = {{ quote .Values.mtls.upstreamAuthority.vault.namespace }}
    ca_cert_path = "/run/spire/config/upstreamCA.crt"
    {{- if .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}
    pki_mount_path = {{ quote .Values.mtls.upstreamAuthority.vault.pkiMountPoint }}{{ end }}
    {{- if .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}
    insecure_skip_verify = {{ .Values.mtls.upstreamAuthority.vault.insecureSkipVerify }}{{ end }}
    {{- if .Values.mtls.upstreamAuthority.vault.certAuth}}
    cert_auth = {
      client_cert_path = "/run/spire/config/upstreamClient.crt"
      client_key_path = "/run/spire/secrets/upstreamClient.key"
      {{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}
      cert_auth_role_name = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthRoleName }}{{ end }}
      {{- if .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}
      cert_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.certAuth.certAuthMountPoint }}{{ end }}
    }{{ end }}
    {{-  if .Values.mtls.upstreamAuthority.vault.tokenAuth }}
    token_auth = {}{{ end }}
    {{- if .Values.mtls.upstreamAuthority.vault.approleAuth }}
    approle_auth = {
      approle_id = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleID }}
      {{- if .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}
      approle_auth_mount_point = {{ quote .Values.mtls.upstreamAuthority.vault.approleAuth.approleAuthMountPoint }}{{ end }}
    }{{ end }}
  }
}