apiVersion: hsm.j5t.io/v1alpha1
kind: HSMSecret
metadata:
  name: database-credentials
  namespace: default
  labels:
    app: myapp
    type: database
    environment: production
  annotations:
    hsm.j5t.io/description: "PostgreSQL database credentials for production"
spec:
  # HSM path is automatically set to the metadata.name (database-credentials)
  
  # ParentRef identifies which operator instance should handle this HSMSecret
  parentRef:
    name: controller-manager
    namespace: hsm-secrets-operator-system
  
  # Enable automatic sync from HSM to Kubernetes
  autoSync: true
  
  # Check for changes every 5 minutes (300 seconds)
  syncInterval: 300

---
# Example of how to use the secret in a deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-database
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: myapp-database
  template:
    metadata:
      labels:
        app: myapp-database
    spec:
      containers:
      - name: app
        image: postgres:13
        env:
        # Use the HSM-backed secret
        - name: POSTGRES_DB
          valueFrom:
            secretKeyRef:
              name: database-credentials
              key: database_name
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: database-credentials
              key: username
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: database-credentials
              key: password
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: database-credentials
              key: database_url
        ports:
        - containerPort: 5432
          name: postgres