{{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") -}}

{{- if and (not $usesKubernetesSecrets) (empty .Values.auth.secretName) -}}
  {{- fail ".Values.auth.secretName is required when .Values.secretResolution.type is not \"kubernetes\"" -}}
{{- end -}}

{{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "github-secret.name" . | quote }}
  namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
  labels:
    {{- include "github-secret.labels" . | nindent 4 }}
  annotations:
    {{- include "github-secret.annotations" . | nindent 4 }}
  finalizers:
    - actions.github.com/cleanup-protection
type: Opaque
data:
  {{- if not (empty .Values.auth.app.clientId) }}
  github_app_id: {{ .Values.auth.app.clientId | toString | b64enc }}
  github_app_installation_id: {{ required ".Values.auth.app.installationId is required when using GitHub App auth" .Values.auth.app.installationId | toString | b64enc }}
  github_app_private_key: {{ required ".Values.auth.app.privateKey is required when using GitHub App auth" .Values.auth.app.privateKey | toString | b64enc }}
  {{- else }}
  github_token: {{ required ".Values.auth.githubToken is required when auth.secretName and auth.app.clientId are not set" .Values.auth.githubToken | toString | b64enc }}
  {{- end }}
{{- end -}}