# ---------------------------------------------------------------------------
# Template for cluster secrets. DO NOT commit the real file.
#
# To create the real secrets on the cluster:
#
#   # Postgres — generate a strong password
#   POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d '=+/')
#   kubectl -n anydrop create secret generic postgres-credentials \
#     --from-literal=username=anydrop \
#     --from-literal=password="$POSTGRES_PASSWORD"
#
#   # App secrets — session signing + DB URL
#   SESSION_SECRET=$(openssl rand -base64 64 | tr -d '=+/')
#   DATABASE_URL="postgres://anydrop:${POSTGRES_PASSWORD}@postgres.anydrop.svc.cluster.local:5432/anydrop"
#   kubectl -n anydrop create secret generic anydrop-app-secrets \
#     --from-literal=SESSION_SECRET="$SESSION_SECRET" \
#     --from-literal=DATABASE_URL="$DATABASE_URL"
#
# Rotate by replacing the secret and restarting the pods:
#   kubectl -n anydrop rollout restart deployment/anydrop-server
# ---------------------------------------------------------------------------
apiVersion: v1
kind: Secret
metadata:
  name: postgres-credentials
  namespace: anydrop
type: Opaque
stringData:
  username: anydrop
  password: CHANGE_ME_STRONG_PASSWORD

---
apiVersion: v1
kind: Secret
metadata:
  name: anydrop-app-secrets
  namespace: anydrop
type: Opaque
stringData:
  SESSION_SECRET: CHANGE_ME_64_BYTE_RANDOM_STRING
  DATABASE_URL: postgres://anydrop:CHANGE_ME@postgres.anydrop.svc.cluster.local:5432/anydrop