{{- if .Values.devEnv.enabled }}
{{- $fullname := include "sebastian.fullname" . }}
{{- $jobName := printf "%s-harbor-creds" $fullname | trunc 63 | trimSuffix "-" }}
{{- $shortName := printf "harbor-creds-%s" (substr 0 8 ($fullname | sha256sum)) | trunc 63 | trimSuffix "-" }}
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ $jobName }}
  namespace: {{ .Values.devEnv.namespace }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
    app.kubernetes.io/component: harbor-credentials
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-15"  # After namespace creation (-20) but before other secrets (-10)
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
  template:
    metadata:
      name: {{ $shortName }}
      labels:
        {{- include "sebastian.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/component: harbor-credentials
    spec:
      serviceAccountName: {{ printf "%s-harbor-sa" $fullname | trunc 63 | trimSuffix "-" }}
      restartPolicy: Never
      containers:
        - name: copy-credentials
          image: alpine/k8s:1.28.3
          command:
            - /bin/sh
            - -c
            - |
              echo "Copying harbor-credentials from msp namespace..."
              kubectl get secret harbor-credentials -n msp -o yaml | \
                sed 's/namespace: msp/namespace: {{ .Values.devEnv.namespace }}/' | \
                kubectl apply -f -
              echo "Harbor credentials copied successfully"

---
{{- $saName := printf "%s-harbor-sa" $fullname | trunc 63 | trimSuffix "-" }}
{{- $roleName := printf "%s-harbor-role" $fullname | trunc 63 | trimSuffix "-" }}
{{- $bindingName := printf "%s-harbor-bind" $fullname | trunc 63 | trimSuffix "-" }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ $saName }}
  namespace: {{ .Values.devEnv.namespace }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
    app.kubernetes.io/component: harbor-credentials
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-18"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ $roleName }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
    app.kubernetes.io/component: harbor-credentials
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-18"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "create", "apply", "patch"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ $bindingName }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
    app.kubernetes.io/component: harbor-credentials
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-18"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
subjects:
- kind: ServiceAccount
  name: {{ $saName }}
  namespace: {{ .Values.devEnv.namespace }}
roleRef:
  kind: ClusterRole
  name: {{ $roleName }}
  apiGroup: rbac.authorization.k8s.io
{{- end }}