prod deployment

bin/secret-update

@@ -50,19 +50,21 @@ if [ ! -d "$SECRETS_DIR" ]; then
     exit 1
 fi
 
-# Get kubectl context
+# Set kubectl command and warn for prod
 if [[ "$ENV" == "prod" ]]; then
-    CONTEXT=$(kubectl config current-context)
+    KUBECTL="kubectl --context=prod"
     echo -e "${YELLOW}⚠️  WARNING: Updating PRODUCTION secrets!${NC}"
-    echo -e "${YELLOW}Current kubectl context: $CONTEXT${NC}"
+    echo -e "${YELLOW}kubectl context: prod${NC}"
     read -p "Are you sure you want to continue? (yes/no): " confirm
     if [[ "$confirm" != "yes" ]]; then
         echo "Aborted."
         exit 0
     fi
+else
+    KUBECTL="kubectl"
 fi
 
-apply_secret() {
+apply_secret_dev() {
     local secret_file="$1"
     local secret_basename=$(basename "$secret_file" .yaml)
 
@@ -73,45 +75,71 @@ apply_secret() {
     fi
 
     echo -e "${GREEN}→${NC} Applying $secret_basename..."
-    kubectl apply -f "$secret_file"
+    $KUBECTL apply -f "$secret_file"
     echo -e "${GREEN}✓${NC} $secret_basename updated"
 }
 
+apply_secret_prod() {
+    local tpl_file="$1"
+    local secret_basename=$(basename "$tpl_file" .tpl.yaml)
+
+    if [ ! -f "$tpl_file" ]; then
+        echo -e "${RED}✗ Template file not found: $tpl_file${NC}"
+        return 1
+    fi
+
+    echo -e "${GREEN}→${NC} Applying $secret_basename (via op inject)..."
+    op inject -i "$tpl_file" | $KUBECTL apply -f -
+    echo -e "${GREEN}✓${NC} $secret_basename updated"
+}
+
+SECRETS=(
+    "ai-secrets"
+    "postgres-secret"
+    "minio-secret"
+    "ingestor-secrets"
+    "flink-secrets"
+    "gateway-secrets"
+    "sandbox-secrets"
+)
+
 # Update specific secret or all secrets
 if [ -n "$SECRET_NAME" ]; then
-    # Update single secret
-    SECRET_FILE="$SECRETS_DIR/$SECRET_NAME.yaml"
-    apply_secret "$SECRET_FILE"
+    if [[ "$ENV" == "prod" ]]; then
+        apply_secret_prod "$SECRETS_DIR/$SECRET_NAME.tpl.yaml"
+    else
+        apply_secret_dev "$SECRETS_DIR/$SECRET_NAME.yaml"
+    fi
 else
-    # Update all secrets
     echo -e "${GREEN}Updating all $ENV secrets...${NC}"
     echo ""
 
-    SECRETS=(
-        "ai-secrets"
-        "postgres-secret"
-        "minio-secret"
-        "ingestor-secrets"
-        "flink-secrets"
-        "gateway-secrets"
-        "sandbox-secrets"
-    )
-
     FAILED=0
     for secret in "${SECRETS[@]}"; do
-        SECRET_FILE="$SECRETS_DIR/$secret.yaml"
-        if ! apply_secret "$SECRET_FILE"; then
-            FAILED=$((FAILED + 1))
+        if [[ "$ENV" == "prod" ]]; then
+            if ! apply_secret_prod "$SECRETS_DIR/$secret.tpl.yaml"; then
+                FAILED=$((FAILED + 1))
+            fi
+        else
+            if ! apply_secret_dev "$SECRETS_DIR/$secret.yaml"; then
+                FAILED=$((FAILED + 1))
+            fi
         fi
     done
 
     echo ""
     if [ $FAILED -gt 0 ]; then
-        echo -e "${YELLOW}⚠️  $FAILED secret(s) failed to apply${NC}"
-        echo -e "${YELLOW}Create missing secret files by copying from .example templates:${NC}"
-        echo -e "${YELLOW}  cd $SECRETS_DIR${NC}"
-        echo -e "${YELLOW}  cp SECRET_NAME.yaml.example SECRET_NAME.yaml${NC}"
-        echo -e "${YELLOW}  # Edit SECRET_NAME.yaml with actual values${NC}"
+        if [[ "$ENV" == "prod" ]]; then
+            echo -e "${YELLOW}⚠️  $FAILED secret(s) failed to apply${NC}"
+            echo -e "${YELLOW}Ensure 1Password CLI is authenticated: op signin${NC}"
+            echo -e "${YELLOW}Ensure 'AI Prod' vault items exist (see deploy/k8s/prod/secrets/*.tpl.yaml)${NC}"
+        else
+            echo -e "${YELLOW}⚠️  $FAILED secret(s) failed to apply${NC}"
+            echo -e "${YELLOW}Create missing secret files by copying from .example templates:${NC}"
+            echo -e "${YELLOW}  cd $SECRETS_DIR${NC}"
+            echo -e "${YELLOW}  cp SECRET_NAME.yaml.example SECRET_NAME.yaml${NC}"
+            echo -e "${YELLOW}  # Edit SECRET_NAME.yaml with actual values${NC}"
+        fi
         exit 1
     else
         echo -e "${GREEN}✓ All secrets updated successfully${NC}"