# postgres-annotations.yaml
#
# The annotations CloudTaser's mutating webhook looks for. Applied
# at scenario step 5 via `kubectl patch deployment postgres ...`.
# Once present, the next pod cycle in this Deployment gets
# cloudtaser-init injected as an init container; that container
# fetches POSTGRES_PASSWORD from the EU vault into a memfd_secret page
# and the postgres process inherits it via env (LD_PRELOAD shim).
#
# Authoritative on-the-wire keys (operator side:
# cloudtaser-operator/internal/webhook/sidecar_injector.go:26-150,
# demo side: cloudtaser-demo/demo-lab/scripts/step5.sh):
#
#   cloudtaser.io/inject                     enable injection at all
#   cloudtaser.io/secret-paths               vault path(s) holding the secret
#   cloudtaser.io/env-map                    rename: vault key -> env var
#   cloudtaser.io/vault-auth-method          how the wrapper authenticates
#
# The secret-paths value is the per-session vault entry written by
# step 4 register; {{NAMESPACE}} is the demo's per-session unique
# namespace.
spec:
  template:
    metadata:
      annotations:
        cloudtaser.io/inject: "true"
        cloudtaser.io/secret-paths: "secret/data/{{NAMESPACE}}/postgres-credentials"
        cloudtaser.io/env-map: "POSTGRES_PASSWORD=POSTGRES_PASSWORD"
        cloudtaser.io/vault-auth-method: "token"