apiVersion: hsm.j5t.io/v1alpha1
kind: HSMSecret
metadata:
  name: external-api-keys
  namespace: default
  labels:
    app: myapp
    type: api-keys
  annotations:
    hsm.j5t.io/description: "API keys for external services (Stripe, AWS, etc.)"
spec:
  # HSM path is automatically set to the metadata.name (external-api-keys)
  
  # ParentRef identifies which operator instance should handle this HSMSecret
  parentRef:
    name: controller-manager
    namespace: hsm-secrets-operator-system
  
  # Enable automatic synchronization
  autoSync: true
  
  # Sync every 10 minutes (API keys might rotate frequently)
  syncInterval: 600

---
# Example application using the API keys
apiVersion: apps/v1
kind: Deployment
metadata:
  name: payment-service
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: payment-service
  template:
    metadata:
      labels:
        app: payment-service
    spec:
      containers:
      - name: payment-service
        image: mycompany/payment-service:v1.2.3
        env:
        # Stripe API key from HSM
        - name: STRIPE_API_KEY
          valueFrom:
            secretKeyRef:
              name: external-api-keys
              key: stripe_api_key
        - name: STRIPE_WEBHOOK_SECRET
          valueFrom:
            secretKeyRef:
              name: external-api-keys
              key: stripe_webhook_secret
        
        # AWS credentials from HSM
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              name: external-api-keys
              key: aws_access_key_id
        - name: AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              name: external-api-keys
              key: aws_secret_access_key
        
        # Other third-party API keys
        - name: SENDGRID_API_KEY
          valueFrom:
            secretKeyRef:
              name: external-api-keys
              key: sendgrid_api_key
        - name: DATADOG_API_KEY
          valueFrom:
            secretKeyRef:
              name: external-api-keys
              key: datadog_api_key
        
        ports:
        - containerPort: 8080
          name: http
        
        # Health checks
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
        
        # Resource limits
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 512Mi

---
# Service for the payment service
apiVersion: v1
kind: Service
metadata:
  name: payment-service
  namespace: default
  labels:
    app: payment-service
spec:
  selector:
    app: payment-service
  ports:
  - port: 80
    targetPort: 8080
    name: http
  type: ClusterIP