From 3278ef63b31b62d29f5f9d3e72af35add74543fe Mon Sep 17 00:00:00 2001
From: "Adrian A. Baumann" <ade@adebaumann.com>
Date: Sat, 28 Feb 2026 23:08:48 +0100
Subject: [PATCH] feat: remove secrets block from Helm values

Remove the secrets: block from values.yaml so no plaintext credentials
live in the chart or git history. Update values-prod.yaml to replace the
--set secrets.* instructions with a pointer to the create-secrets.sh script.
---
 helm/shorefront/values-prod.yaml | 11 ++++++-----
 helm/shorefront/values.yaml      |  4 ----
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/helm/shorefront/values-prod.yaml b/helm/shorefront/values-prod.yaml
index f3a86a9..280dc21 100644
--- a/helm/shorefront/values-prod.yaml
+++ b/helm/shorefront/values-prod.yaml
@@ -1,8 +1,9 @@
 ingress:
   host: shorefront.yourdomain.com
 
-# Override secrets at deploy time:
-# helm upgrade --install shorefront ./helm/shorefront \
-#   --values helm/shorefront/values-prod.yaml \
-#   --set secrets.postgresPassword=<real-password> \
-#   --set secrets.jwtSecretKey=<real-jwt-secret>
+# Secrets are NOT managed by Helm. Run scripts/create-secrets.sh before
+# the first helm install/ArgoCD sync:
+#
+#   export POSTGRES_PASSWORD=<real-password>
+#   export JWT_SECRET_KEY=<real-jwt-secret>
+#   bash scripts/create-secrets.sh
diff --git a/helm/shorefront/values.yaml b/helm/shorefront/values.yaml
index 7e7febe..2ee93c6 100644
--- a/helm/shorefront/values.yaml
+++ b/helm/shorefront/values.yaml
@@ -33,7 +33,3 @@ nfs:
 ingress:
   host: shorefront.example.com
   ingressClassName: traefik
-
-secrets:
-  postgresPassword: changeme-in-prod
-  jwtSecretKey: changeme-in-prod