docs: add secrets management design (kubectl bootstrap script)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/plans/2026-02-28-secrets-management-design.md

@@ -0,0 +1,26 @@
+# Secrets Management Design
+
+**Goal:** Remove secrets from the Helm chart and provide a kubectl script to bootstrap them out-of-band, compatible with ArgoCD.
+
+**Approach:** Pre-create with kubectl script (Option A). Helm stops owning the secret; a bootstrap script creates it before the first ArgoCD sync.
+
+---
+
+## Helm chart changes
+
+- Delete `templates/secret.yaml` — Helm no longer creates or owns `shorefront-secret`
+- Remove the `secrets:` block from `values.yaml` and `values-prod.yaml` — no secret values in git
+- The `secretKeyRef` references in `backend-deployment.yaml` and `postgres-deployment.yaml` are unchanged; they already reference `shorefront-secret` by name
+
+## Script: `scripts/create-secrets.sh`
+
+- Reads `POSTGRES_PASSWORD` and `JWT_SECRET_KEY` from environment variables; exits with a clear error if either is unset
+- Creates the `shorefront` namespace if it does not exist (safe to run before `helm install`)
+- Uses `kubectl create secret generic shorefront-secret --dry-run=client -o yaml | kubectl apply -f -` for idempotency (safe to re-run for credential rotation)
+- Prints success/failure
+
+## ArgoCD workflow
+
+1. Operator runs `scripts/create-secrets.sh` once on bootstrap (and again on rotation)
+2. ArgoCD syncs the Helm chart; `shorefront-secret` already exists, pods start normally
+3. ArgoCD does not manage the secret (no `managed-by: Helm` annotation), so it never diffs or deletes it