# TEMPLATE — do NOT commit a filled-in copy. Generate the real secret
# via scripts/generate-secrets.sh and apply once out-of-band:
#
#   ./scripts/generate-secrets.sh > infra/k3s/20-secrets.yaml
#   kubectl apply -f infra/k3s/20-secrets.yaml
#
# Component passwords are only used cluster-internally between
# prosody/jicofo/jvb — clients (browsers) never see them.
apiVersion: v1
kind: Secret
metadata:
  name: jitsi-secrets
  namespace: jitsi
type: Opaque
stringData:
  # Inter-component passwords — generate fresh via generate-secrets.sh
  JICOFO_COMPONENT_SECRET: "REPLACE_WITH_32_RANDOM_CHARS"
  JICOFO_AUTH_USER: "focus"
  JICOFO_AUTH_PASSWORD: "REPLACE_WITH_32_RANDOM_CHARS"
  JVB_AUTH_USER: "jvb"
  JVB_AUTH_PASSWORD: "REPLACE_WITH_32_RANDOM_CHARS"
  # HMAC key shared with Embertime — must match app_settings.meeting_jwt_secret
  # in Embertime's DB. Get it from the Embertime UI (Settings → Meeting-Server
  # → "Secret rotieren") OR query the DB directly with:
  #   kubectl -n embertime exec -it deploy/embertime-postgres -- \
  #     psql -U embertime -t -c "select meeting_jwt_secret from app_settings"
  JWT_APP_SECRET: "REPLACE_WITH_VALUE_FROM_EMBERTIME"