# Kubernetes Secrets Template for Production
# DO NOT commit actual secrets to Git
# Use this as a template to create secrets

# Create secret using kubectl:
# kubectl create secret generic iam-service-secrets \
#   --from-literal=database-url='postgresql://user:pass@ep-xxx.region.neon.tech/dbname?sslmode=require&pgbouncer=true' \
#   --from-literal=jwt-secret='your-production-jwt-secret-min-32-chars' \
#   --from-literal=jwt-refresh-secret='your-production-refresh-secret-min-32-chars' \
#   --from-literal=redis-password='' \
#   -n production

# Or use GitHub Secrets in CI/CD:
# - NEON_DATABASE_URL_PRODUCTION
# - JWT_SECRET_PRODUCTION
# - JWT_REFRESH_SECRET_PRODUCTION

apiVersion: v1
kind: Secret
metadata:
  name: iam-service-secrets
  namespace: production
type: Opaque
stringData:
  # Neon Database URL (Production branch)
  # Format: postgresql://user:password@ep-xxx.region.neon.tech/dbname?sslmode=require&pgbouncer=true
  database-url: "postgresql://user:password@ep-xxx.region.neon.tech/dbname?sslmode=require&pgbouncer=true"
  
  # JWT Secrets (use strong random strings, min 32 characters)
  jwt-secret: "your-production-jwt-secret-min-32-chars"
  jwt-refresh-secret: "your-production-refresh-secret-min-32-chars"
  
  # Redis (if password protected)
  redis-password: ""