# SECRET TEMPLATE for the data tier — copy, fill, apply OUT-OF-BAND.
# NEVER commit real values. Excluded from kustomization.yaml on purpose.
#
#   cp secrets.example.yaml /tmp/data-secrets.yaml
#   # fill every REPLACE_* (openssl rand -hex 24)
#   kubectl apply -f /tmp/data-secrets.yaml && rm /tmp/data-secrets.yaml
#
# Record these in Bitwarden — losing them locks you out of the DBs. The
# AUTHENTIK_DB_PASSWORD / OCIS_DB_PASSWORD must match what you give Authentik
# and OCIS in their own configs.
apiVersion: v1
kind: Secret
metadata:
  name: postgres-secret
  namespace: dezky-data
type: Opaque
stringData:
  POSTGRES_PASSWORD: REPLACE_superuser_pw      # openssl rand -hex 24
  AUTHENTIK_DB_PASSWORD: REPLACE_authentik_pw  # openssl rand -hex 24
  OCIS_DB_PASSWORD: REPLACE_ocis_pw            # openssl rand -hex 24
---
apiVersion: v1
kind: Secret
metadata:
  name: mongo-secret
  namespace: dezky-data
type: Opaque
stringData:
  root-username: dezky
  root-password: REPLACE_mongo_root_pw         # openssl rand -hex 24
---
apiVersion: v1
kind: Secret
metadata:
  name: redis-secret
  namespace: dezky-data
type: Opaque
stringData:
  REDIS_PASSWORD: REPLACE_redis_pw             # openssl rand -hex 24