{{- if .Values.db.enabled }}
{{- $ns := include "sebastian.namespace" . -}}
{{- $existing := (lookup "v1" "Secret" $ns "db-credentials") -}}
{{- $existingPVC := (lookup "v1" "PersistentVolumeClaim" $ns (printf "%s-postgres-data" (include "sebastian.fullname" .))) -}}
{{- if and (not $existing) $existingPVC }}
{{- fail (printf "Refusing to generate db-credentials because PVC %s/%s already exists. Existing appliance data must be recovered with the original secret or wiped before a fresh install." $ns (printf "%s-postgres-data" (include "sebastian.fullname" .))) }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
  namespace: {{ include "sebastian.namespace" . }}
  annotations:
    "helm.sh/resource-policy": keep
type: Opaque
data:
{{- if $existing }}
  DB_PASSWORD_HOCUSPOCUS: {{ index $existing.data "DB_PASSWORD_HOCUSPOCUS" }}
  DB_PASSWORD_PGBOUNCER: {{ index $existing.data "DB_PASSWORD_PGBOUNCER" }}
  DB_PASSWORD_SERVER: {{ index $existing.data "DB_PASSWORD_SERVER" }}
  DB_PASSWORD_SUPERUSER: {{ index $existing.data "DB_PASSWORD_SUPERUSER" }}
{{- else }}
  DB_PASSWORD_HOCUSPOCUS: {{ randAlphaNum 32 | b64enc | quote }}
  DB_PASSWORD_PGBOUNCER: {{ randAlphaNum 32 | b64enc | quote }}
  DB_PASSWORD_SERVER: {{ randAlphaNum 32 | b64enc | quote }}
  DB_PASSWORD_SUPERUSER: {{ randAlphaNum 32 | b64enc | quote }}
{{- end }}
{{- end }}