# Example 1: Simple API Key (No Rotation)
#
# Use case: Long-lived API key that doesn't need rotation
# 
# Characteristics:
# - Generated once
# - No rotation schedule
# - No Reloader needed (static secret)

---
apiVersion: v1
kind: Namespace
metadata:
  name: api-service

---
apiVersion: secrets.c5ai.ch/v1alpha1
kind: ManagedSecret
metadata:
  name: api-keys
  namespace: api-service
spec:
  vault:
    address: "http://openbao.openbao.svc.cluster.local:8200"
    authMethod: kubernetes
    role: managedsecret-operator
    kvVersion: v2
    mount: secret
    path: api/service/keys
  
  fields:
  # Static service identifier
  - name: service-id
    type: static
    value: "api-service-prod"
  
  # Generated API key (long, alphanumeric)
  - name: api-key
    type: generated
    generator:
      type: password
      length: 64
      minDigits: 10
      minSymbols: 0
      minLowercase: 20
      minUppercase: 20
      symbolCharacters: ""  # No symbols, just alphanumeric
      allowRepeat: false
  
  # Static API endpoint
  - name: api-endpoint
    type: static
    value: "https://api.external-service.com/v1"
  
  destination:
    name: api-secret
    type: Opaque
  
  # No rotation - generate once and keep
  rotation:
    enabled: false

---
# Example Deployment using the API key
apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-consumer
  namespace: api-service
spec:
  replicas: 2
  selector:
    matchLabels:
      app: api-consumer
  template:
    metadata:
      labels:
        app: api-consumer
      # No Reloader annotation needed - secret doesn't change
    spec:
      containers:
      - name: app
        image: your-app:latest
        env:
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: api-secret
              key: api-key
        - name: API_ENDPOINT
          valueFrom:
            secretKeyRef:
              name: api-secret
              key: api-endpoint
        - name: SERVICE_ID
          valueFrom:
            secretKeyRef:
              name: api-secret
              key: service-id

---
# Example: Using the secret in a ConfigMap template
apiVersion: v1
kind: ConfigMap
metadata:
  name: api-config
  namespace: api-service
data:
  config.yaml: |
    service:
      name: api-consumer
      # API credentials loaded from secret via environment variables
      # See deployment above for how to inject API_KEY
    
    endpoints:
      external:
        timeout: 30s
        retry: 3

---
# How to retrieve the API key for external use
# kubectl get secret api-secret -n api-service -o jsonpath='{.data.api-key}' | base64 -d