{{ if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
{{ $context := . -}}
{{ range .Values.backup.objectStore -}}
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
  namespace: {{ include "cluster.namespace" $context }}
  labels:
    {{- include "cluster.labels" $context | nindent 4 }}
    app.kubernetes.io/name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
    {{- with $context.Values.cluster.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
{{ end -}}
{{ end }}

{{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: {{ include "cluster.recoverySecretName" . }}
  namespace: {{ include "cluster.namespace" . }}
  labels:
    {{- include "cluster.labels" . | nindent 4 }}
    app.kubernetes.io/name: {{ include "cluster.recoverySecretName" . }}
    {{- with .Values.cluster.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
{{- end }}