# Runtime secrets for issue-core, materialized from OpenBao by External Secrets
# Operator (cluster default per railiance-platform docs/argocd-gitops.md).
#
# DEPENDENCY: External Secrets Operator is not yet installed on railiance01 and
# the OpenBao path below must be provisioned by railiance-platform. Until then
# this resource will not reconcile and the Deployment stays Pending the Secret.
#
# OpenBao path: platform/workloads/issue-core/issue-core/issue-core-runtime
#   properties: ISSUE_CORE_API_KEY, GITEA_BACKEND_TOKEN
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: issue-core-runtime
  namespace: issue-core
  labels:
    app.kubernetes.io/name: issue-core
    app.kubernetes.io/part-of: railiance-gitops
  annotations:
    argocd.argoproj.io/sync-wave: "0"  # before the Deployment (wave 1)
spec:
  refreshInterval: 1h
  secretStoreRef:
    # Provisioned by railiance-platform during ESO install; name TBC on bootstrap.
    name: openbao
    kind: ClusterSecretStore
  target:
    name: issue-core-runtime
    creationPolicy: Owner
  data:
    - secretKey: ISSUE_CORE_API_KEY
      remoteRef:
        key: platform/workloads/issue-core/issue-core/issue-core-runtime
        property: ISSUE_CORE_API_KEY
    - secretKey: GITEA_BACKEND_TOKEN
      remoteRef:
        key: platform/workloads/issue-core/issue-core/issue-core-runtime
        property: GITEA_BACKEND_TOKEN