# Bookstore — Part 03 ch.02 "Secrets": Postgres credentials.
#
# Resolves the Phase-2 STUB. 20-postgres-statefulset.yaml previously hardcoded
# POSTGRES_PASSWORD as an inline env value with a `# TODO(Phase 3)` marker.
# This Opaque Secret is now the SINGLE SOURCE OF TRUTH for the DB user /
# password / db-name; ch.02 edits 20- to consume it (envFrom) and 10-/14- to
# build DB_DSN from it (secretKeyRef + $(VAR) interpolation).
#
# !!! DEMO-ONLY VALUE !!!  A Secret is base64-encoded, NOT encrypted. base64 is
# trivially reversible (`base64 -d`). Anyone who can `get secret` in this
# namespace, or read etcd, sees the password in clear. This file with a literal
# password is committed ONLY because this is a throwaway local guide. In a real
# repo you NEVER commit this: use Sealed Secrets / External Secrets Operator /
# Vault, and enable encryption-at-rest (EncryptionConfiguration + KMS) on the
# apiserver. ch.02 demonstrates all of this and decodes the value live to prove
# base64 != encryption.
#
# stringData: written as-is by the client; the apiserver base64-encodes it into
# .data on write (more readable than pre-encoding by hand, identical result).
#
# Requires:
#   kubectl apply -f examples/bookstore/raw-manifests/00-namespace.yaml
# Apply (BEFORE 20-/10-/14-, which now reference it):
#   kubectl apply -f examples/bookstore/raw-manifests/16-db-credentials.yaml
#   kubectl get secret db-credentials -n bookstore -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d
apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
  namespace: bookstore
  labels:
    app: postgres
    app.kubernetes.io/part-of: bookstore
type: Opaque                       # arbitrary key/value (vs. the typed kinds in ch.02)
stringData:
  POSTGRES_USER: bookstore
  POSTGRES_PASSWORD: "devpassword"      # DEMO-ONLY — never a real/committed secret
  POSTGRES_DB: bookstore