{{- /*
Render a Secret only when S3 is enabled AND inline credentials are provided.
Use the same name/keys the Deployment expects via secretRef overrides to avoid mismatch.
*/ -}}
{{- if and .Values.config.storage.providers.s3.enabled (or .Values.config.storage.providers.s3.access_key .Values.config.storage.providers.s3.secret_key) }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .Values.config.storage.providers.s3.secretRef.name | default "storage-credentials" | quote }}
  namespace: {{ include "sebastian.namespace" . }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
type: Opaque
stringData:
  {{- if .Values.config.storage.providers.s3.access_key }}
  {{ .Values.config.storage.providers.s3.secretRef.accessKeyKey | default "S3_ACCESS_KEY" }}: {{ .Values.config.storage.providers.s3.access_key | quote }}
  {{- end }}
  {{- if .Values.config.storage.providers.s3.secret_key }}
  {{ .Values.config.storage.providers.s3.secretRef.secretKeyKey | default "S3_SECRET_KEY" }}: {{ .Values.config.storage.providers.s3.secret_key | quote }}
  {{- end }}
{{- end }}