---
apiVersion: v1
kind: Secret
metadata:
  name: shared-credentials
  namespace: namespace-1
  annotations:
    # Mirror this secret to all namespaces with allow-mirrors label
    kubemirror.raczylo.com/sync: "true"
    kubemirror.raczylo.com/target-namespaces: "all"
  labels:
    # Required: enables server-side filtering
    kubemirror.raczylo.com/enabled: "true"
    app: kubemirror-example
    resource-type: shared-secret
type: Opaque
stringData:
  username: admin
  password: super-secret-password
  api-key: "1234567890abcdef"

---
apiVersion: v1
kind: Secret
metadata:
  name: database-credentials
  namespace: namespace-1
  annotations:
    # Mirror this secret only to specific namespaces
    kubemirror.raczylo.com/sync: "true"
    kubemirror.raczylo.com/target-namespaces: "namespace-3,namespace-4"
  labels:
    # Required: enables server-side filtering
    kubemirror.raczylo.com/enabled: "true"
    app: kubemirror-example
    resource-type: database-secret
type: Opaque
stringData:
  db-host: "postgres.example.com"
  db-user: "appuser"
  db-password: "db-secret-password"
  db-name: "myapp"

---
apiVersion: v1
kind: Secret
metadata:
  name: local-secret
  namespace: namespace-1
  labels:
    app: kubemirror-example
    resource-type: local-only
type: Opaque
stringData:
  # This secret has NO mirror annotation, so it stays local
  local-data: "This stays in namespace-1 only"