apiVersion: v1
kind: Secret
metadata:
  name: llm-gateway-secrets
  namespace: llm-gateway
  labels:
    app: llm-gateway
type: Opaque
stringData:
  # IMPORTANT: Replace these with actual values or use external secret management
  # For production, use:
  # - kubectl create secret generic llm-gateway-secrets --from-literal=...
  # - External Secrets Operator with AWS Secrets Manager/HashiCorp Vault
  # - Sealed Secrets
  GOOGLE_API_KEY: "your-google-api-key-here"
  ANTHROPIC_API_KEY: "your-anthropic-api-key-here"
  OPENAI_API_KEY: "your-openai-api-key-here"
  OIDC_AUDIENCE: "your-client-id.apps.googleusercontent.com"
---
# Example using External Secrets Operator (commented out)
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
#   name: llm-gateway-secrets
#   namespace: llm-gateway
# spec:
#   refreshInterval: 1h
#   secretStoreRef:
#     name: aws-secrets-manager
#     kind: SecretStore
#   target:
#     name: llm-gateway-secrets
#     creationPolicy: Owner
#   data:
#     - secretKey: GOOGLE_API_KEY
#       remoteRef:
#         key: prod/llm-gateway/google-api-key
#     - secretKey: ANTHROPIC_API_KEY
#       remoteRef:
#         key: prod/llm-gateway/anthropic-api-key
#     - secretKey: OPENAI_API_KEY
#       remoteRef:
#         key: prod/llm-gateway/openai-api-key
#     - secretKey: OIDC_AUDIENCE
#       remoteRef:
#         key: prod/llm-gateway/oidc-audience