# Secret for the production environment:
#   cms-plugins-production-secrets — env vars consumed by the pod via the
#                                    chart's `existingSecret`. EMDASH_ENCRYPTION_KEY
#                                    is required; everything else is optional.
#
# NOTE: the Flux SSH deploy key (cms-plugins-deploy-key) is NOT defined here.
# It is a single shared key defined once in the staging overlay's secrets.yaml
# (namespace `kotkan`); this env's source.yaml references it by name. Defining
# it again here would create a duplicate Secret (same name + namespace) with
# last-write-wins ambiguity. Mirrors the emdash-kotkanagrilli reference.
#
# This is a TEMPLATE — encrypt it with sops before committing to the
# anton-helm-workloads repo:
#
#   sops --encrypt --age <recipient-key> secrets.yaml > secrets.enc.yaml
#   mv secrets.enc.yaml secrets.yaml
#
# Generation:
#   openssl rand -hex 32     → EMDASH_ENCRYPTION_KEY (one per env, do not reuse).
---
apiVersion: v1
kind: Secret
metadata:
  name: cms-plugins-production-secrets
  namespace: kotkan
type: Opaque
stringData:
  EMDASH_ENCRYPTION_KEY: REPLACE_WITH_RANDOM_HEX_32