guildhall/k8s/50-guildhall-secrets-template.yaml

# Application + database secrets — TEMPLATES.
#
# Do NOT apply these files directly. Secret values are created
# imperatively so passwords and session keys never land in git.
# Two Secrets are created at deploy time:
#
# ---------- guildhall-db-credentials ----------
# Consumed by the guildhall-postgres Deployment (for its own env) and
# by guildhall-app-secrets (the password is also needed to construct
# DATABASE_URL).
#
#   DB_PASSWORD="$(openssl rand -base64 32 | tr -d '/+=' | head -c 32)"
#
#   kubectl create secret generic guildhall-db-credentials \
#     --from-literal=POSTGRES_DB=guildhall \
#     --from-literal=POSTGRES_USER=guildhall \
#     --from-literal=POSTGRES_PASSWORD="$DB_PASSWORD" \
#     --namespace=guildhall
#
# Shape:
#
# apiVersion: v1
# kind: Secret
# metadata:
#   name: guildhall-db-credentials
#   namespace: guildhall
# type: Opaque
# data:
#   POSTGRES_DB:       <b64 "guildhall">
#   POSTGRES_USER:     <b64 "guildhall">
#   POSTGRES_PASSWORD: <b64 "<generated-strong-password>">
#
# ---------- guildhall-app-secrets ----------
# Consumed by the guildhall Deployment and migration Job. Contains the
# Phoenix session signing key and the DATABASE_URL used by Ecto at
# runtime.
#
#   SECRET_KEY_BASE="$(cd /home/tking/projects/substrate-project/guildhall && mix phx.gen.secret)"
#
#   kubectl create secret generic guildhall-app-secrets \
#     --from-literal=SECRET_KEY_BASE="$SECRET_KEY_BASE" \
#     --from-literal=DATABASE_URL="ecto://guildhall:$DB_PASSWORD@guildhall-postgres:5432/guildhall" \
#     --namespace=guildhall
#
# Note: `ecto://` scheme, not `postgres://` — `config/runtime.exs`
# invokes Ecto.Repo's built-in URL parser which accepts either, but
# `ecto://` is the canonical form in Phoenix-generated config.
#
# Shape:
#
# apiVersion: v1
# kind: Secret
# metadata:
#   name: guildhall-app-secrets
#   namespace: guildhall
# type: Opaque
# data:
#   SECRET_KEY_BASE: <b64 "<64-byte-base64-session-key>">
#   DATABASE_URL:    <b64 "ecto://guildhall:<pw>@guildhall-postgres:5432/guildhall">