From 411415b91fe88d8f75f84e828bf5ed927e70f2db Mon Sep 17 00:00:00 2001
From: Niel <niel@sixfeetup.com>
Date: Tue, 5 Sep 2023 15:45:21 +0200
Subject: [PATCH] docs: add explanation of what the makefile targets do #78

---
 {{cookiecutter.project_slug}}/README.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/{{cookiecutter.project_slug}}/README.md b/{{cookiecutter.project_slug}}/README.md
index 0fa5abb3..9cb11450 100644
--- a/{{cookiecutter.project_slug}}/README.md
+++ b/{{cookiecutter.project_slug}}/README.md
@@ -76,20 +76,22 @@ can access it at [http://localhost:3000/](http://localhost:3000/).
 ## SealedSecrets for passwords and sensitive values
 
 SealedSecrets can be used to encrypt passwords for the values to be safely checked in.
-To create a new secret encrypt the base64 encoded secrets using [kubeseal](https://github.com/bitnami-labs/sealed-secrets#kubeseal).  
+Creating a new secret involves encrypting the base64 encoded secret using kubeseal. [Installing kubeseal](https://github.com/bitnami-labs/sealed-secrets#kubeseal).  
 
 Configure kubernetes to your current project config and context, making sure you are in the correct prod/sandbox environment
 
     $ export KUBECONFIG=~/.kube/config:~/.kube/{{cookiecutter.project_slug}}.ec2.config
     $ kubectl config use-context {{cookiecutter.project_slug}}-ec2-cluster 
 
-You can store the secrets in 1Password and read the sensitive values to set it as enviroment variables:
+To ease managing your passwords and secrets you can store the values in 1Password. The makefile target `read-op-secrets` will read the values from 1Password and store it as base64 encoded enviroment variables.
 (The 1Password path in .envrc MUST match the path in the vault)
 
     $ make read-op-secrets
 
-You can also manually export the variables to your environment, but kubeseal needs the variables to be base64 encoded.
-Add the secrets to your manifest using the secrets template file, and run kubeseal on the unencrypted values
+You can also manually export the variables to your environment, but kubeseal requires the variables to be base64 encoded.
+Add the secrets to your manifest using the secrets template file, and run kubeseal on the unencrypted values. The makefile target `sandbox-secrets` will replace the variables in `./k8s/templates/secrets.yaml.template` with the encoded variables from the environment, and copy the manifest with the encrypted values to `.k8s/sandbox/secrets.yaml`. The same can be done for the prod environment using the `prod-secrets` target
+
+    $ make sandbox-secrets
 
     $ make prod-secrets