{{- /* External Secrets Operator 模板 — 当 secrets.backend=external-secrets 时渲染。 ExternalSecret 引用运维预创建的 SecretStore(指向 Vault / AWS SM / GCP SM / Azure KV), 从外部密钥管理服务拉取全部 11 个 secret slot(KTD-4)。 */ -}} {{- if eq .Values.secrets.backend "external-secrets" }} apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: {{ include "agentkit.secretName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "agentkit.labels" . | nindent 4 }} spec: secretStoreRef: name: {{ .Values.secrets.externalSecret.secretStoreName | quote }} kind: SecretStore target: name: {{ include "agentkit.secretName" . }} creationPolicy: Owner data: # 1) JWT 签名密钥 - secretKey: {{ .Values.secrets.jwtSigningKey.key }} remoteRef: key: agentkit/jwt-signing-key # 2) API Key - secretKey: {{ .Values.secrets.apiKey.key }} remoteRef: key: agentkit/api-key # 3) DATABASE_URL - secretKey: {{ .Values.secrets.dbCredentials.key }} remoteRef: key: agentkit/database-url # 4) IDP 签名证书 - secretKey: {{ .Values.secrets.idpSigningCerts.key }} remoteRef: key: agentkit/idp-signing-certs # 5) 第三方 API Key - secretKey: {{ .Values.secrets.thirdPartyApiKeys.key }} remoteRef: key: agentkit/third-party-api-keys # 6) TLS 服务器证书 - secretKey: {{ .Values.secrets.tlsServerCert.key }} remoteRef: key: agentkit/tls-server-cert # 7) mTLS 客户端证书 - secretKey: {{ .Values.secrets.mtlsClientCert.key }} remoteRef: key: agentkit/mtls-client-cert # 8) KMS/HSM PKCS#11 PIN - secretKey: {{ .Values.secrets.kmsHsmPin.key }} remoteRef: key: agentkit/kms-hsm-pin # 9) OTel exporter token - secretKey: {{ .Values.secrets.otelExporterToken.key }} remoteRef: key: agentkit/otel-exporter-token # 10) Redis 密码 - secretKey: {{ .Values.secrets.redisPassword.key }} remoteRef: key: agentkit/redis-password # 11) PostgreSQL 密码 - secretKey: {{ .Values.secrets.postgresPassword.key }} remoteRef: key: agentkit/postgres-password {{- end }}