{{- if .Values.hostedEnv }}
{{- if .Values.hostedEnv.enabled }}
{{- $fullname := include "sebastian.fullname" . }}
{{- $jobName := printf "%s-harbor-creds" $fullname | trunc 63 | trimSuffix "-" }}
{{- $shortName := printf "harbor-creds-%s" (substr 0 8 ($fullname | sha256sum)) | trunc 63 | trimSuffix "-" }}
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ $jobName }}
  namespace: {{ .Values.hostedEnv.namespace }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
    app.kubernetes.io/component: harbor-credentials
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-15"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
  template:
    metadata:
      name: {{ $shortName }}
      labels:
        {{- include "sebastian.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/component: harbor-credentials
      annotations:
        sidecar.istio.io/inject: "false"
        traffic.sidecar.istio.io/excludeOutboundPorts: "443,6443"
    spec:
      serviceAccountName: {{ printf "%s-harbor-sa" $fullname | trunc 63 | trimSuffix "-" }}
      restartPolicy: Never
      containers:
        - name: copy-credentials
          image: alpine/k8s:1.28.3
          command:
            - /bin/sh
            - -c
            - |
              set -e
              for name in harbor-credentials db-credentials redis-credentials vault-credentials; do
                echo "Attempting to copy $name from msp to {{ .Values.hostedEnv.namespace }}..."
                if kubectl get secret "$name" -n msp >/dev/null 2>&1; then
                  # Delete existing secret first to avoid conflicts
                  kubectl delete secret "$name" -n {{ .Values.hostedEnv.namespace }} --ignore-not-found=true
                  kubectl get secret "$name" -n msp -o yaml \
                    | sed 's/namespace: msp/namespace: {{ .Values.hostedEnv.namespace }}/' \
                    | kubectl apply -f -
                  echo "Copied $name"
                else
                  echo "Secret $name not found in msp; skipping"
                fi
              done
              echo "Credentials copy completed"

---
{{- $saName := printf "%s-harbor-sa" $fullname | trunc 63 | trimSuffix "-" }}
{{- $roleName := printf "%s-harbor-role" $fullname | trunc 63 | trimSuffix "-" }}
{{- $bindingName := printf "%s-harbor-bind" $fullname | trunc 63 | trimSuffix "-" }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ $saName }}
  namespace: {{ .Values.hostedEnv.namespace }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
    app.kubernetes.io/component: harbor-credentials
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-18"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ $roleName }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
    app.kubernetes.io/component: harbor-credentials
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-18"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "create", "apply", "patch", "delete"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ $bindingName }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
    app.kubernetes.io/component: harbor-credentials
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-18"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
subjects:
- kind: ServiceAccount
  name: {{ $saName }}
  namespace: {{ .Values.hostedEnv.namespace }}
roleRef:
  kind: ClusterRole
  name: {{ $roleName }}
  apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- end }}