Use full secret paths.

apps/README.md

@@ -149,9 +149,58 @@ Apps that rely on PostgreSQL or MySQL databases typically need a database initia
 
 Examples of apps with db-init jobs: `gitea`, `codimd`, `immich`, `openproject`
 
+##### Database URL Configuration
+
+**Important:** When apps require database URLs with embedded credentials, always use a separate `dbUrl` secret instead of trying to construct the URL with environment variable substitution in Kustomize templates.
+
+❌ **Wrong** (Kustomize cannot process runtime env var substitution):
+```yaml
+- name: DB_URL
+  value: "postgresql://user:$(DB_PASSWORD)@host/db"
+```
+
+✅ **Correct** (Use a dedicated secret):
+```yaml
+- name: DB_URL
+  valueFrom:
+    secretKeyRef:
+      name: app-secrets
+      key: apps.appname.dbUrl
+```
+
+Add `apps.appname.dbUrl` to the manifest's `requiredSecrets` and the `wild-app-add` script will generate the complete URL with embedded credentials.
+
+##### Security Context Requirements
+
+Pods must comply with Pod Security Standards. All pods should include proper security contexts to avoid deployment warnings:
+
+```yaml
+spec:
+  template:
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999        # Use appropriate non-root user ID
+        runAsGroup: 999       # Use appropriate group ID
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: container-name
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: false  # Set to true when possible
+```
+
+For PostgreSQL init jobs, use `runAsUser: 999` (postgres user). For other database types, use the appropriate non-root user ID for that database container.
+
 #### Secrets
 
-Secrets are managed in the `secrets.yaml` file in the Wild Cloud home directory. The app's `manifest.yaml` should list any required secrets under `requiredSecrets`. When the app is added, default secret values will be generated and stored in the `secrets.yaml` file. Secrets are always stored and referenced in the `apps.<app-name>.<secret-name>` yaml path. When `wild-app-deploy` is run, a Secret resource will be created in the Kubernetes cluster with the name `<app-name>-secrets`, containing all secrets defined in the manifest's `requiredSecrets` key. These secrets can then be referenced in the app's Kustomize files using a `secretKeyRef`. For example, to mount a secret in an environment variable, you would use:
+Secrets are managed in the `secrets.yaml` file in the Wild Cloud home directory. The app's `manifest.yaml` should list any required secrets under `requiredSecrets`. When the app is added, default secret values will be generated and stored in the `secrets.yaml` file. Secrets are always stored and referenced in the `apps.<app-name>.<secret-name>` yaml path. When `wild-app-deploy` is run, a Secret resource will be created in the Kubernetes cluster with the name `<app-name>-secrets`, containing all secrets defined in the manifest's `requiredSecrets` key. These secrets can then be referenced in the app's Kustomize files using a `secretKeyRef`. 
+
+**Important:** Always use the full dotted path from the manifest as the secret key, not just the last segment. For example, to mount a secret in an environment variable, you would use:
 
 ```yaml
 env:
@@ -159,9 +208,11 @@ env:
         valueFrom:
         secretKeyRef:
             name: immich-secrets
-            key: dbPassword
+            key: apps.immich.dbPassword  # Use full dotted path, not just "dbPassword"
 ```
 
+This approach prevents naming conflicts between apps and makes secret keys more descriptive and consistent with the `secrets.yaml` structure.
+
 `secrets.yaml` files should not be checked in to a git repository and are ignored by default in Wild Cloud home directories. Checked in kustomize files should only reference secrets, not compile them.
 
 ## App Lifecycle