# Secrets Management Design

**Goal:** Remove secrets from the Helm chart and provide a kubectl script to bootstrap them out-of-band, compatible with ArgoCD.

**Approach:** Pre-create with kubectl script (Option A). Helm stops owning the secret; a bootstrap script creates it before the first ArgoCD sync.

---

## Helm chart changes

- Delete `templates/secret.yaml` — Helm no longer creates or owns `shorefront-secret`
- Remove the `secrets:` block from `values.yaml` and `values-prod.yaml` — no secret values in git
- The `secretKeyRef` references in `backend-deployment.yaml` and `postgres-deployment.yaml` are unchanged; they already reference `shorefront-secret` by name

## Script: `scripts/create-secrets.sh`

- Reads `POSTGRES_PASSWORD` and `JWT_SECRET_KEY` from environment variables; exits with a clear error if either is unset
- Creates the `shorefront` namespace if it does not exist (safe to run before `helm install`)
- Uses `kubectl create secret generic shorefront-secret --dry-run=client -o yaml | kubectl apply -f -` for idempotency (safe to re-run for credential rotation)
- Prints success/failure

## ArgoCD workflow

1. Operator runs `scripts/create-secrets.sh` once on bootstrap (and again on rotation)
2. ArgoCD syncs the Helm chart; `shorefront-secret` already exists, pods start normally
3. ArgoCD does not manage the secret (no `managed-by: Helm` annotation), so it never diffs or deletes it