apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ include "agent-common.fullname" . }}-external-secret
  labels:
    {{- include "agent-common.labels" . | nindent 4 }}
  annotations:
    update-on-redeploy: "{{ now }}"
spec:
  secretStoreRef:
    name: {{ include "agent-common.cluster-secret-store.name" . }}
    kind: ClusterSecretStore
  refreshInterval: "1h"
  # The secret that will be created
  target:
    name: {{ include "agent-common.fullname" . }}-secret
    template:
      type: Opaque
      metadata:
        labels:
          {{- include "agent-common.labels" . | nindent 10 }}
      data:
        HYP_BASE_DB: {{ print "'{{ .db | toString }}'" }}
        {{/* RPC URLs */}}
{{- /*
   * For each Outbox network, create an environment variable with the RPC endpoint.
   * The templating of external-secrets will use the data section below to know how
   * to replace the correct value in the created secret.
   */}}
        {{- range .Values.hyperlane.outboxChains }}
        {{- if not .disabled }}
        {{- if eq .connection.type "httpQuorum" }}
        HYP_SCRAPER_{{ .name | upper }}_OUTBOX_CONNECTION_URLS: {{ printf "'{{ .%s_rpcs | fromJson | join \",\" }}'" .name }}
        {{- else }}
        HYP_SCRAPER_{{ .name | upper }}_OUTBOX_CONNECTION_URL: {{ printf "'{{ .%s_rpc | toString }}'" .name }}
        {{- end }}
        {{- end }}
        {{- end }}
{{- /*
   * For each Inbox network, create an environment variable with the RPC endpoint.
   * The templating of external-secrets will use the data section below to know how
   * to replace the correct value in the created secret.
   */}}
        {{- range .Values.hyperlane.inboxChains }}
        {{- if not .disabled }}
        {{- if eq .connection.type "httpQuorum" }}
        HYP_BASE_INBOXES_{{ .name | upper }}_CONNECTION_URLS: {{ printf "'{{ .%s_rpcs | fromJson | join \",\" }}'" .name }}
        {{- else }}
        HYP_BASE_INBOXES_{{ .name | upper }}_CONNECTION_URL: {{ printf "'{{ .%s_rpc | toString }}'" .name }}
        {{- end }}
        {{- end }}
        {{- end }}
  data:
  - secretKey: db
    remoteRef:
      key: {{ printf "%s-%s-scraper-db" .Values.hyperlane.context .Values.hyperlane.runEnv }}
{{- /*
   * For each network, load the secret in GCP secret manager with the form: environment-rpc-endpoint-network,
   * and associate it with the secret key networkname_rpc.
   * We assume that the set of Outbox chains and Inbox chains are the same.
   */}}
  {{- range .Values.hyperlane.inboxChains }}
  {{- if not .disabled }}
  {{- if eq .connection.type "httpQuorum" }}
  - secretKey: {{ printf "%s_rpcs" .name }}
    remoteRef:
      key: {{ printf "%s-rpc-endpoints-%s" $.Values.hyperlane.runEnv .name }}
  {{- else }}
  - secretKey: {{ printf "%s_rpc" .name }}
    remoteRef:
      key: {{ printf "%s-rpc-endpoint-%s" $.Values.hyperlane.runEnv .name }}
  {{- end }}
  {{- end }}
  {{- end }}