{{- if not .Values.config.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "pomerium.secretName" . }}
  labels:
    app.kubernetes.io/name: {{ template "pomerium.name" . }}
    helm.sh/chart: {{ template "pomerium.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.config.extraSecretLabels }}
    {{- range $key, $value := .Values.config.extraSecretLabels }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
{{- end }}
type: Opaque
stringData:
  config.yaml: |
{{ include "pomerium.config.static" . |  indent 4 -}}
{{ include "pomerium.config.dynamic" . | indent 4 -}}
{{- end }}

---
{{- if not .Values.config.existingSharedSecret }}
{{- $sharedSecret := coalesce .Values.config.sharedSecret (randAscii 32 | b64enc) }}
{{- $cookieSecret := coalesce .Values.config.cookieSecret (randAscii 32 | b64enc) }}
{{- $sharedSecretData := (lookup "v1" "Secret" .Release.Namespace (include "pomerium.sharedSecretName" .) ).data }}
{{- if and $sharedSecretData (not .Values.config.forceGenerateServiceSecrets) }}
{{- $sharedSecret = (index $sharedSecretData "SHARED_SECRET" | b64dec) }}
{{- $cookieSecret = (index $sharedSecretData "COOKIE_SECRET" | b64dec) }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "pomerium.sharedSecretName" . }}
  labels:
    app.kubernetes.io/name: {{ template "pomerium.name" . }}
    helm.sh/chart: {{ template "pomerium.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.config.extraSharedSecretLabels }}
    {{- range $key, $value := .Values.config.extraSharedSecretLabels }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
{{- end }}
type: Opaque
data:
  SHARED_SECRET: {{ $sharedSecret | b64enc }}
  COOKIE_SECRET: {{ $cookieSecret | b64enc }}
{{- end }}