# Template: Deployment Using ExternalSecret
#
# This shows how to reference and use the synced Kubernetes Secret in a Deployment.
# Copy and customize this template in your application's k8s manifests.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default  # CHANGE: Your application's namespace
  labels:
    app: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: my-app
      
      containers:
      - name: app
        image: my-app:latest
        imagePullPolicy: Always
        
        # Method 1: Import all secret keys as environment variables
        envFrom:
        - secretRef:
            name: app-secrets  # CHANGE: Name of the ExternalSecret's target
        
        # Method 2: Individual secret values as environment variables
        env:
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: app-secrets  # CHANGE: Name of the ExternalSecret's target
              key: DATABASE_URL
        
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: app-secrets  # CHANGE: Name of the ExternalSecret's target
              key: API_KEY
        
        # Method 3: Mount secret as files (useful for config files)
        volumeMounts:
        - name: app-secrets
          mountPath: /etc/app/secrets
          readOnly: true
        
        ports:
        - containerPort: 8000
          name: http
      
      # Volume for mounting secrets
      volumes:
      - name: app-secrets
        secret:
          secretName: app-secrets  # CHANGE: Name of the ExternalSecret's target
          defaultMode: 0400         # Read-only for owner only