phase 14-15: docker build validation and helm deployment

infra/k8s/secrets.yaml

@@ -1,17 +1,63 @@
+##
+## Stonks Oracle — Scoped Secrets
+##
+## Secrets are split by concern so that only the services that need
+## broker or market-data credentials actually receive them.
+## Replace placeholder values before deploying.
+##
+## Requirements: 8.2 (broker credential isolation)
+##
+
+# ── Core infrastructure secrets (DB, object store, cache) ──────────────
 apiVersion: v1
 kind: Secret
 metadata:
-  name: stonks-secrets
+  name: stonks-core-secrets
   namespace: stonks-oracle
   labels:
     app.kubernetes.io/part-of: stonks-oracle
 type: Opaque
 stringData:
-  POSTGRES_PASSWORD: "changeme"
-  MINIO_ACCESS_KEY: "changeme"
-  MINIO_SECRET_KEY: "changeme"
+  POSTGRES_PASSWORD: "REPLACE_ME"
+  MINIO_ACCESS_KEY: "REPLACE_ME"
+  MINIO_SECRET_KEY: "REPLACE_ME"
   REDIS_PASSWORD: ""
-  BROKER_API_KEY: ""
-  BROKER_API_SECRET: ""
-  BROKER_BASE_URL: ""
-  SUPERSET_SECRET_KEY: "stonks-superset-secret-change-me"
+---
+# ── Broker secrets — only for broker-adapter and risk-engine ───────────
+apiVersion: v1
+kind: Secret
+metadata:
+  name: stonks-broker-secrets
+  namespace: stonks-oracle
+  labels:
+    app.kubernetes.io/part-of: stonks-oracle
+type: Opaque
+stringData:
+  BROKER_API_KEY: "REPLACE_ME"
+  BROKER_API_SECRET: "REPLACE_ME"
+  BROKER_BASE_URL: "https://paper-api.alpaca.markets"
+---
+# ── Market data secrets — only for ingestion and adapters ──────────────
+apiVersion: v1
+kind: Secret
+metadata:
+  name: stonks-market-secrets
+  namespace: stonks-oracle
+  labels:
+    app.kubernetes.io/part-of: stonks-oracle
+type: Opaque
+stringData:
+  MARKET_DATA_API_KEY: "REPLACE_ME"
+---
+# ── Dashboard secrets — only for Superset ──────────────────────────────
+apiVersion: v1
+kind: Secret
+metadata:
+  name: stonks-dashboard-secrets
+  namespace: stonks-oracle
+  labels:
+    app.kubernetes.io/part-of: stonks-oracle
+type: Opaque
+stringData:
+  SUPERSET_SECRET_KEY: "REPLACE_ME"
+  SUPERSET_ADMIN_PASSWORD: "REPLACE_ME"