##
## Stonks Oracle — Scoped Secrets
##
## Secrets are split by concern so that only the services that need
## broker or market-data credentials actually receive them.
## Replace placeholder values before deploying.
##
## Requirements: 8.2 (broker credential isolation)
##

# ── Core infrastructure secrets (DB, object store, cache) ──────────────
apiVersion: v1
kind: Secret
metadata:
  name: stonks-core-secrets
  namespace: stonks-oracle
  labels:
    app.kubernetes.io/part-of: stonks-oracle
type: Opaque
stringData:
  POSTGRES_PASSWORD: "REPLACE_ME"
  MINIO_ACCESS_KEY: "REPLACE_ME"
  MINIO_SECRET_KEY: "REPLACE_ME"
  REDIS_PASSWORD: ""
---
# ── Broker secrets — only for broker-adapter and risk-engine ───────────
apiVersion: v1
kind: Secret
metadata:
  name: stonks-broker-secrets
  namespace: stonks-oracle
  labels:
    app.kubernetes.io/part-of: stonks-oracle
type: Opaque
stringData:
  BROKER_API_KEY: "REPLACE_ME"
  BROKER_API_SECRET: "REPLACE_ME"
  BROKER_BASE_URL: "https://paper-api.alpaca.markets"
---
# ── Market data secrets — only for ingestion and adapters ──────────────
apiVersion: v1
kind: Secret
metadata:
  name: stonks-market-secrets
  namespace: stonks-oracle
  labels:
    app.kubernetes.io/part-of: stonks-oracle
type: Opaque
stringData:
  MARKET_DATA_API_KEY: "REPLACE_ME"
---
# ── Dashboard secrets — only for Superset ──────────────────────────────
apiVersion: v1
kind: Secret
metadata:
  name: stonks-dashboard-secrets
  namespace: stonks-oracle
  labels:
    app.kubernetes.io/part-of: stonks-oracle
type: Opaque
stringData:
  SUPERSET_SECRET_KEY: "REPLACE_ME"
  SUPERSET_ADMIN_PASSWORD: "REPLACE_ME"