# ---------------------------------------------------------------------------
# Template for cluster secrets. DO NOT commit the real file.
#
# To create the real secrets on the cluster:
#
#   # Postgres — generate a strong password
#   POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d '=+/')
#   kubectl -n anydrop create secret generic postgres-credentials \
#     --from-literal=username=anydrop \
#     --from-literal=password="$POSTGRES_PASSWORD"
#
#   # App secrets — session signing + DB URL
#   SESSION_SECRET=$(openssl rand -base64 64 | tr -d '=+/')
#   DATABASE_URL="postgres://anydrop:${POSTGRES_PASSWORD}@postgres.anydrop.svc.cluster.local:5432/anydrop"
#   kubectl -n anydrop create secret generic anydrop-app-secrets \
#     --from-literal=SESSION_SECRET="$SESSION_SECRET" \
#     --from-literal=DATABASE_URL="$DATABASE_URL" \
#     --from-literal=STRIPE_SECRET_KEY="sk_live_…" \
#     --from-literal=STRIPE_WEBHOOK_SECRET="whsec_…" \
#     --from-literal=STRIPE_PRICE_MONTHLY="price_…" \
#     --from-literal=STRIPE_PRICE_YEARLY="price_…"
#
#   # MinIO — reuses the shared cluster MinIO in the `minio` namespace.
#   # Create a scoped user + policy on MinIO (one-shot), then store its
#   # credentials here. Don't use the MinIO root account.
#   #   kubectl -n minio exec deploy/minio -- sh -c '
#   #     mc alias set local http://localhost:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD"
#   #     mc mb --ignore-existing local/transfers
#   #     mc anonymous set none local/transfers
#   #     mc admin user add local anydrop <STRONG_SECRET>
#   #     # Attach a policy scoped to the transfers bucket only.
#   #   '
#   kubectl -n anydrop create secret generic minio-credentials \
#     --from-literal=access_key="anydrop" \
#     --from-literal=secret_key="<STRONG_SECRET>"
#
# Rotate by replacing the secret and restarting the pods:
#   kubectl -n anydrop rollout restart deployment/anydrop-server
# ---------------------------------------------------------------------------
apiVersion: v1
kind: Secret
metadata:
  name: postgres-credentials
  namespace: anydrop
type: Opaque
stringData:
  username: anydrop
  password: CHANGE_ME_STRONG_PASSWORD

---
apiVersion: v1
kind: Secret
metadata:
  name: anydrop-app-secrets
  namespace: anydrop
type: Opaque
stringData:
  SESSION_SECRET: CHANGE_ME_64_BYTE_RANDOM_STRING
  DATABASE_URL: postgres://anydrop:CHANGE_ME@postgres.anydrop.svc.cluster.local:5432/anydrop
  # Phase 3 — Stripe billing. Create the product + recurring prices in the
  # Stripe dashboard, then fill these in. Leaving them unset disables the
  # /api/billing/* and webhook routes gracefully (503).
  STRIPE_SECRET_KEY: CHANGE_ME_sk_live_xxx
  STRIPE_WEBHOOK_SECRET: CHANGE_ME_whsec_xxx
  STRIPE_PRICE_MONTHLY: CHANGE_ME_price_xxx
  STRIPE_PRICE_YEARLY: CHANGE_ME_price_xxx

---
apiVersion: v1
kind: Secret
metadata:
  name: minio-credentials
  namespace: anydrop
type: Opaque
stringData:
  access_key: CHANGE_ME_ACCESS_KEY
  secret_key: CHANGE_ME_SECRET_KEY