anydrop/k8s/secrets.example.yml

# ---------------------------------------------------------------------------
# Template for cluster secrets. DO NOT commit the real file.
#
# To create the real secrets on the cluster:
#
#   # Postgres — generate a strong password
#   POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d '=+/')
#   kubectl -n anydrop create secret generic postgres-credentials \
#     --from-literal=username=anydrop \
#     --from-literal=password="$POSTGRES_PASSWORD"
#
#   # App secrets — session signing + DB URL
#   SESSION_SECRET=$(openssl rand -base64 64 | tr -d '=+/')
#   DATABASE_URL="postgres://anydrop:${POSTGRES_PASSWORD}@postgres.anydrop.svc.cluster.local:5432/anydrop"
#   kubectl -n anydrop create secret generic anydrop-app-secrets \
#     --from-literal=SESSION_SECRET="$SESSION_SECRET" \
#     --from-literal=DATABASE_URL="$DATABASE_URL"
#
#   # MinIO (object storage for the encrypted relay)
#   MINIO_ACCESS_KEY=$(openssl rand -hex 16)
#   MINIO_SECRET_KEY=$(openssl rand -base64 40 | tr -d '=+/')
#   kubectl -n anydrop create secret generic minio-credentials \
#     --from-literal=access_key="$MINIO_ACCESS_KEY" \
#     --from-literal=secret_key="$MINIO_SECRET_KEY"
#
# Rotate by replacing the secret and restarting the pods:
#   kubectl -n anydrop rollout restart deployment/anydrop-server
# ---------------------------------------------------------------------------
apiVersion: v1
kind: Secret
metadata:
  name: postgres-credentials
  namespace: anydrop
type: Opaque
stringData:
  username: anydrop
  password: CHANGE_ME_STRONG_PASSWORD

---
apiVersion: v1
kind: Secret
metadata:
  name: anydrop-app-secrets
  namespace: anydrop
type: Opaque
stringData:
  SESSION_SECRET: CHANGE_ME_64_BYTE_RANDOM_STRING
  DATABASE_URL: postgres://anydrop:CHANGE_ME@postgres.anydrop.svc.cluster.local:5432/anydrop

---
apiVersion: v1
kind: Secret
metadata:
  name: minio-credentials
  namespace: anydrop
type: Opaque
stringData:
  access_key: CHANGE_ME_ACCESS_KEY
  secret_key: CHANGE_ME_SECRET_KEY