apiVersion: v1
kind: Secret
metadata:
  name: afterwork-secrets
  namespace: applications
  labels:
    app: afterwork-api
    component: secrets
    environment: production
    project: lions-infrastructure-2025
type: Opaque
stringData:
  # ==============================================================================
  # BASE DE DONNÉES PostgreSQL
  # ==============================================================================
  # Utilise le PostgreSQL de l'infrastructure Lions
  # postgresql-service.postgresql.svc.cluster.local:5432
  DB_PASSWORD: "AfterWork2025!"
  
  # ==============================================================================
  # JWT / SÉCURITÉ
  # ==============================================================================
  # Clé secrète JWT (minimum 32 caractères, aléatoire)
  # Générer avec: openssl rand -base64 32
  JWT_SECRET: "AfterWorkJWTSecret2025LionsInfrastructureKey"
  
  # ==============================================================================
  # COMPTE ADMINISTRATEUR INITIAL
  # ==============================================================================
  ADMIN_EMAIL: "admin@afterwork.ci"
  ADMIN_PASSWORD: "AdminAfterWork2025!"

  # ==============================================================================
  # SERVICE EMAIL (SMTP)
  # ==============================================================================
  # Configuration Gmail ou autre SMTP
  MAILER_USERNAME: "noreply@afterwork.ci"
  MAILER_PASSWORD: "CHANGEZ_MOI_SMTP_PASSWORD"

  # ==============================================================================
  # WAVE PAYMENT (Intégration paiement)
  # ==============================================================================
  WAVE_API_KEY: "CHANGEZ_MOI_WAVE_API_KEY"
  WAVE_SECRET: "CHANGEZ_MOI_WAVE_SECRET"

---
# ==============================================================================
# CONFIGMAP POUR CONFIGURATION NON-SENSIBLE
# ==============================================================================
apiVersion: v1
kind: ConfigMap
metadata:
  name: afterwork-config
  namespace: applications
  labels:
    app: afterwork-api
    component: configuration
    environment: production
    project: lions-infrastructure-2025
data:
  # ==============================================================================
  # BASE DE DONNÉES - Lions PostgreSQL
  # ==============================================================================
  DB_HOST: "postgresql-service.postgresql.svc.cluster.local"
  DB_PORT: "5432"
  DB_NAME: "mic-after-work-server-impl-quarkus-main"
  DB_USERNAME: "lionsuser"

  # ==============================================================================
  # QUARKUS
  # ==============================================================================
  QUARKUS_PROFILE: "prod"
  QUARKUS_LOG_LEVEL: "INFO"
  QUARKUS_LOG_CONSOLE_JSON: "true"

  # ==============================================================================
  # JWT
  # ==============================================================================
  JWT_LIFESPAN: "86400"
  JWT_ISSUER: "afterwork-api"

  # ==============================================================================
  # KAFKA - Lions Infrastructure
  # ==============================================================================
  # Utilise le Kafka déployé dans le namespace kafka
  KAFKA_BOOTSTRAP_SERVERS: "kafka-service.kafka.svc.cluster.local:9092"

  # ==============================================================================
  # EMAIL (SMTP)
  # ==============================================================================
  MAILER_HOST: "smtp.gmail.com"
  MAILER_PORT: "587"
  MAILER_FROM: "AfterWork <noreply@afterwork.ci>"
  MAILER_START_TLS: "REQUIRED"
  # En production, mettre false. true = mock (pas d'envoi réel)
  MAILER_MOCK: "true"

  # ==============================================================================
  # RATE LIMITING
  # ==============================================================================
  AFTERWORK_RATELIMIT_MAX_REQUESTS: "10"
  AFTERWORK_RATELIMIT_WINDOW_SECONDS: "60"

  # ==============================================================================
  # WAVE PAYMENT
  # ==============================================================================
  WAVE_BASE_URL: "https://api.wave.com"
  WAVE_CURRENCY: "XOF"
  WAVE_CALLBACK_URL: "https://api.lions.dev/afterwork/webhooks/wave"

  # ==============================================================================
  # OBSERVABILITY - Lions Prometheus/Grafana
  # ==============================================================================
  # Prometheus scrape via annotations sur le pod
  # Grafana disponible sur https://grafana.lions.dev

  # ==============================================================================
  # KEYCLOAK / SSO (optionnel)
  # ==============================================================================
  # OIDC_AUTH_SERVER_URL: "https://security.lions.dev/realms/lions"
  # OIDC_CLIENT_ID: "afterwork-api"

---
# ==============================================================================
# EXTERNAL SECRET - Intégration Vault (ACTIF)
# ==============================================================================
# Vault est déverrouillé sur https://vault.lions.dev
# Les secrets sont synchronisés depuis Vault vers Kubernetes automatiquement
#
# PRÉREQUIS: Créer les secrets dans Vault avec:
#   vault kv put lions/afterwork \
#     db_password="AfterWork2025!" \
#     jwt_secret="AfterWorkJWTSecret2025LionsInfrastructureKey" \
#     admin_password="AdminAfterWork2025!" \
#     mailer_password="SMTP_PASSWORD" \
#     wave_api_key="WAVE_KEY" \
#     wave_secret="WAVE_SECRET"
#
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: afterwork-vault-secrets
  namespace: applications
  labels:
    app: afterwork-api
    component: external-secrets
    project: lions-infrastructure-2025
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: afterwork-secrets-vault
    creationPolicy: Owner
  data:
  - secretKey: DB_PASSWORD
    remoteRef:
      key: lions/data/afterwork
      property: db_password
  - secretKey: JWT_SECRET
    remoteRef:
      key: lions/data/afterwork
      property: jwt_secret
  - secretKey: ADMIN_PASSWORD
    remoteRef:
      key: lions/data/afterwork
      property: admin_password
  - secretKey: MAILER_PASSWORD
    remoteRef:
      key: lions/data/afterwork
      property: mailer_password
  - secretKey: WAVE_API_KEY
    remoteRef:
      key: lions/data/afterwork
      property: wave_api_key
  - secretKey: WAVE_SECRET
    remoteRef:
      key: lions/data/afterwork
      property: wave_secret