diff --git a/scripts/create-secrets.sh b/scripts/create-secrets.sh
new file mode 100755
index 0000000..09b2455
--- /dev/null
+++ b/scripts/create-secrets.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+NAMESPACE="shorefront"
+
+# --- Validate required env vars ---
+: "${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}"
+: "${JWT_SECRET_KEY:?JWT_SECRET_KEY is required}"
+
+echo "Creating namespace '${NAMESPACE}' if it does not exist..."
+kubectl create namespace "${NAMESPACE}" --dry-run=client -o yaml | kubectl apply -f -
+
+echo "Creating/updating secret 'shorefront-secret' in namespace '${NAMESPACE}'..."
+kubectl create secret generic shorefront-secret \
+  --namespace "${NAMESPACE}" \
+  --from-literal="POSTGRES_PASSWORD=${POSTGRES_PASSWORD}" \
+  --from-literal="JWT_SECRET_KEY=${JWT_SECRET_KEY}" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+echo "Done. Secret 'shorefront-secret' is ready in namespace '${NAMESPACE}'."