---
# Secrets for RAG Service (sensitive data)
apiVersion: v1
kind: Secret
metadata:
  name: provisioning-rag-secrets
  namespace: provisioning-rag
  labels:
    app: provisioning-rag
    component: secrets
type: Opaque
stringData:
  # Database Credentials
  DB_USER: "surrealdb_user"
  DB_PASSWORD: "changeme-in-production"

  # API Keys (if using external services like OpenAI)
  OPENAI_API_KEY: "sk-changeme-in-production"

  # Service to Service Communication
  SERVICE_AUTH_TOKEN: "changeme-in-production"

  # TLS/SSL (if needed)
  TLS_CERT: |
    -----BEGIN CERTIFICATE-----
    # Certificate content here
    -----END CERTIFICATE-----
  TLS_KEY: |
    -----BEGIN PRIVATE KEY-----
    # Private key content here
    -----END PRIVATE KEY-----

---
# Docker Registry Secret for pulling private images
apiVersion: v1
kind: Secret
metadata:
  name: provisioning-rag-registry
  namespace: provisioning-rag
  labels:
    app: provisioning-rag
    component: registry
type: kubernetes.io/dockercfg
data:
  # Base64 encoded docker config
  .dockercfg: eyJhdXRoIjogImNoYW5nZW1lLWluLXByb2R1Y3Rpb24ifQ==

---
# Service Account for RAG Service
apiVersion: v1
kind: ServiceAccount
metadata:
  name: provisioning-rag
  namespace: provisioning-rag
  labels:
    app: provisioning-rag
    component: serviceaccount
automountServiceAccountToken: true