# Secret for Gitea webhook validation
# Used by EventListener to validate incoming webhooks
apiVersion: v1
kind: Secret
metadata:
  name: gitea-webhook-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: triggers
  annotations:
    note: "Webhook secret for validating incoming webhooks"
type: Opaque
stringData:
  secretToken: {{ .Values.secrets.webhook.token | quote }}
---
# Secret for Gitea container registry credentials
# Used by Kaniko to push images to Gitea registry
# References the existing gitea-admin-secret for consistency
{{- $giteaSecret := (lookup "v1" "Secret" "gitea" "gitea-admin-secret") }}
{{- $giteaPassword := "" }}
{{- if and $giteaSecret $giteaSecret.data (index $giteaSecret.data "password") }}
{{- $giteaPassword = index $giteaSecret.data "password" | b64dec }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
  name: gitea-registry-credentials
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: build
  annotations:
    note: "Registry credentials for pushing images - references gitea-admin-secret"
type: kubernetes.io/dockerconfigjson
stringData:
  {{- $registryPassword := .Values.secrets.registry.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
  {{- if and .Values.secrets.registry.registryUrl .Values.secrets.registry.username }}
  .dockerconfigjson: |
    {
      "auths": {
        {{ .Values.secrets.registry.registryUrl | quote }}: {
          "username": {{ .Values.secrets.registry.username | quote }},
          "password": {{ $registryPassword | quote }}
        }
      }
    }
  {{- else }}
  .dockerconfigjson: '{"auths":{}}'
  {{- end }}
---
# Secret for Git credentials (used by pipeline to push GitOps updates)
# References the existing gitea-admin-secret for consistency
apiVersion: v1
kind: Secret
metadata:
  name: gitea-git-credentials
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: gitops
  annotations:
    note: "Git credentials for GitOps updates - references gitea-admin-secret"
type: Opaque
stringData:
  {{- $gitPassword := .Values.secrets.git.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
  username: {{ .Values.secrets.git.username | quote }}
  password: {{ $gitPassword | quote }}
---
# Secret for Flux GitRepository access
# Used by Flux to pull from Gitea repository
# References the existing gitea-admin-secret for consistency
apiVersion: v1
kind: Secret
metadata:
  name: gitea-credentials
  namespace: {{ .Values.pipeline.deployment.fluxNamespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: flux
  annotations:
    note: "Credentials for Flux GitRepository access - references gitea-admin-secret"
type: Opaque
stringData:
  {{- $fluxPassword := .Values.secrets.git.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
  username: {{ .Values.secrets.git.username | quote }}
  password: {{ $fluxPassword | quote }}