shorefront/docs/plans/2026-02-28-secrets-management-design.md

Secrets Management Design

Goal: Remove secrets from the Helm chart and provide a kubectl script to bootstrap them out-of-band, compatible with ArgoCD.

Approach: Pre-create with kubectl script (Option A). Helm stops owning the secret; a bootstrap script creates it before the first ArgoCD sync.

---

Helm chart changes

• Delete templates/secret.yaml — Helm no longer creates or owns shorefront-secret
• Remove the secrets: block from values.yaml and values-prod.yaml — no secret values in git
• The secretKeyRef references in backend-deployment.yaml and postgres-deployment.yaml are unchanged; they already reference shorefront-secret by name

Script: scripts/create-secrets.sh

• Reads POSTGRES_PASSWORD and JWT_SECRET_KEY from environment variables; exits with a clear error if either is unset
• Creates the shorefront namespace if it does not exist (safe to run before helm install)
• Uses kubectl create secret generic shorefront-secret --dry-run=client -o yaml | kubectl apply -f - for idempotency (safe to re-run for credential rotation)
• Prints success/failure

ArgoCD workflow

1. Operator runs scripts/create-secrets.sh once on bootstrap (and again on rotation)
2. ArgoCD syncs the Helm chart; shorefront-secret already exists, pods start normally
3. ArgoCD does not manage the secret (no managed-by: Helm annotation), so it never diffs or deletes it