# Template for the apps-pg-credentials Secret.
# DO NOT commit this file with real credentials.
# Encrypt with: sops -e -i helm/apps-pg-secret.sops.yaml
# Apply with:   kubectl apply -f <(sops -d helm/apps-pg-secret.sops.yaml)
#
# This Secret is consumed by the bootstrap.initdb stanza of
# helm/apps-pg-cluster.yaml and only exists to create the platform
# bootstrap role `apps_admin` and meta DB `apps_meta`. It is NOT a
# runtime credential for any S5 application — those are issued per
# consumer through the onboarding contract in docs/apps-pg.md.
---
apiVersion: v1
kind: Secret
metadata:
  name: apps-pg-credentials
  namespace: databases
  labels:
    app.kubernetes.io/name: apps-pg
    app.kubernetes.io/component: database-bootstrap
    app.kubernetes.io/managed-by: manual
    railiance.io/layer: s3-platform
type: kubernetes.io/basic-auth
stringData:
  username: apps_admin
  password: REPLACE_WITH_PASSWORD  # encrypt with SOPS before committing