- Add ExternalSecret for auth secrets (SESSION_SECRET, GitHub OAuth) via AWS Secrets Manager
- Separate user-configurable provider API keys into dedicated K8s Secret
- Update deployment to use three-layer configuration model:
* ConfigMap: non-sensitive public settings
* ExternalSecret → Secret: infrastructure auth secrets from AWS
* Secret: user-configurable provider API keys managed via UI
- Add comprehensive documentation for AWS Secrets Manager setup
- Include K8s deployment architecture guide with troubleshooting commands
- Enable secure, auditable, and rotatable secrets management for production
This follows enterprise security best practices with proper separation of concerns between infrastructure and user secrets.
- Add SESSION_SECRET to Secret template for secure cookie encryption
- Add GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET for OAuth authentication
- Update deployment to reference both ConfigMap and Secret via envFrom
- Ensure sensitive data stays in Secret (base64 encoded) not ConfigMap
- Add helpful comments for secret generation and security best practices
This enables secure session management and GitHub authentication in EKS deployment.
