---
apiVersion: v1
kind: Secret
metadata:
  name: "connect-secrets"
  annotations:
    "helm.sh/resource-policy": "keep"
data:
  # try to get the old secret
  # keep in mind, that a dry-run only returns an empty map 
  {{- $old_sec := lookup "v1" "Secret" .Release.Namespace "connect-secrets" }}

 # check, if a secret is already set
  {{- if or (not $old_sec) (not $old_sec.data) }}
  # if not set, then generate a new password
  JWT_SECRET: "{{ .Values.connect.jwt.secret | b64enc }}"
  ADMIN_PASSWORD: "{{ .Values.connect.admin.password | b64enc }}"
  DATASOURCE_USERNAME: "{{ .Values.connect.database.username | b64enc }}"
  DATASOURCE_PASSWORD: "{{ .Values.connect.database.password | b64enc }}"
  ELASTIC_USERNAME: "{{ .Values.connect.elastic.username | b64enc }}"
  ELASTIC_PASSWORD: "{{ .Values.connect.elastic.password | b64enc }}"
  OIDC_CLIENT_SECRET: "{{ .Values.connect.oidc.client_secret | b64enc }}"
  MAIL_USER: "{{ .Values.connect.mail.username | b64enc }}"
  MAIL_PASSWORD: "{{ .Values.connect.mail.password | b64enc }}"
  {{ else }}
  # if set, then use the old value
  JWT_SECRET: {{ index $old_sec.data "JWT_SECRET" }}
  ADMIN_PASSWORD: {{ index $old_sec.data "ADMIN_PASSWORD" }}
  DATASOURCE_USERNAME: {{ index $old_sec.data "DATASOURCE_USERNAME" }}
  DATASOURCE_PASSWORD: {{ index $old_sec.data "DATASOURCE_PASSWORD" }}
  ELASTIC_USERNAME: {{ index $old_sec.data "ELASTIC_USERNAME" }}
  ELASTIC_PASSWORD: {{ index $old_sec.data "ELASTIC_PASSWORD" }}
  OIDC_CLIENT_SECRET: {{ index $old_sec.data "OIDC_CLIENT_SECRET" }}
  MAIL_USER: {{ index $old_sec.data "MAIL_USER" }}
  MAIL_PASSWORD: {{ index $old_sec.data "MAIL_PASSWORD" }}
  {{ end }}