{{- if or (not .Values.db.enabled) (not (.Values.bookstack.auth | default dict | len | eq 0)) }}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: {{ include "bookstack.secret" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "bookstack.labels" . | nindent 4 }}
    app.kubernetes.io/component: bookstack-app
data:
  {{- if not .Values.db.enabled }}
  DB_PASSWORD: {{ required
      "When you disable the onboard database you have to define bookstack.externalDatabase.password"
      .Values.bookstack.externalDatabase.password | b64enc | quote }}
  {{- end }}
  {{- /* -------------------------------------------------
        Social‑Auth‑Sektionen
        ------------------------------------------------- */}}
  {{- $providers := list
        "oidc" "azure" "discord" "facebook" "github" "gitlab"
        "google" "okta" "slack" "twitch" "twitter" }}
  {{- range $_, $p := $providers }}
    {{- /* .Values.bookstack.auth.<provider> als Map holen */}}
    {{- $conf := index $.Values.bookstack.auth $p | default dict }}
    {{- if and ($conf.enabled) (not $conf.existingSecret) }}
  {{ upper $p }}_CLIENT_ID: {{ required
        (printf "You have to define a bookstack.auth.%s.clientId" $p)
        $conf.clientId | b64enc | quote }}
  {{ upper $p }}_CLIENT_SECRET: {{ required
        (printf "You have to define a bookstack.auth.%s.clientSecret" $p)
        $conf.clientSecret | b64enc | quote }}
    {{- end }}
  {{- end }}
  {{- if .Values.bookstack.auth.ldap.enabled }}
  LDAP_SERVER: {{ required 
        "You have to define a bookstack.auth.ldap.server" 
        .Values.bookstack.auth.ldap.server | b64enc | quote }}
  LDAP_DN: {{ required
        "You have to define a bookstack.auth.ldap.dn"
        .Values.bookstack.auth.ldap.dn | b64enc | quote }}
  LDAP_PASS: {{ required
        "You have to define a bookstack.auth.ldap.passw"
        .Values.bookstack.auth.ldap.pass | b64enc | quote }}
  {{- end }}
{{- end }}