{{- if not .Values.jwtSecret.existingSecret }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "bjw-s.common.lib.chart.names.fullname" . }}-jwt
  labels:
    {{- include "bjw-s.common.lib.controller.metadata.labels" . | nindent 4 }}
  annotations:
    "helm.sh/resource-policy": keep
type: Opaque
data:
  {{- if .Values.jwtSecret.value }}
  JWT_SECRET: {{ .Values.jwtSecret.value | b64enc | quote }}
  {{- else }}
  # Generate a random JWT secret if not provided
  # This uses a lookup to preserve the secret across upgrades
  {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-jwt" (include "bjw-s.common.lib.chart.names.fullname" .)) }}
  {{- if $existingSecret }}
  JWT_SECRET: {{ index $existingSecret.data "JWT_SECRET" | quote }}
  {{- else }}
  JWT_SECRET: {{ randAlphaNum 43 | b64enc | quote }}
  {{- end }}
  {{- end }}
{{- end }}