generated from coulomb/repo-seed
chore(deploy): add railiance handoff guardrails [skip ci]
This commit is contained in:
51
deploy/railiance/secrets/README.md
Normal file
51
deploy/railiance/secrets/README.md
Normal file
@@ -0,0 +1,51 @@
|
||||
# inter-hub Runtime Secret
|
||||
|
||||
`inter-hub.env.sops.yaml` is the durable source for the production
|
||||
`inter-hub/inter-hub-env` Kubernetes Secret. The file is encrypted with the
|
||||
shared Railiance age recipient declared in the repo root `.sops.yaml`.
|
||||
|
||||
Do not commit plaintext secret material. This directory ignores plaintext files
|
||||
by default; only `*.sops.yaml`, examples, docs, and helper scripts are tracked.
|
||||
|
||||
## Create Or Refresh
|
||||
|
||||
Use an attended operator shell with `kubectl`, `sops`, and access to the shared
|
||||
Railiance age identity:
|
||||
|
||||
```bash
|
||||
tmp="$(mktemp)"
|
||||
trap 'rm -f "$tmp"' EXIT
|
||||
|
||||
kubectl -n inter-hub get secret inter-hub-env -o json \
|
||||
| python3 deploy/railiance/secrets/k8s-secret-json-to-sops-input.py \
|
||||
> "$tmp"
|
||||
|
||||
sops --encrypt \
|
||||
--age age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 \
|
||||
"$tmp" > deploy/railiance/secrets/inter-hub.env.sops.yaml
|
||||
```
|
||||
|
||||
Review only non-secret metadata before committing:
|
||||
|
||||
```bash
|
||||
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
|
||||
| sed -n '1,8p'
|
||||
```
|
||||
|
||||
## Apply
|
||||
|
||||
```bash
|
||||
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
|
||||
| kubectl apply -f -
|
||||
|
||||
kubectl rollout restart deployment/inter-hub -n inter-hub
|
||||
kubectl rollout status deployment/inter-hub -n inter-hub
|
||||
```
|
||||
|
||||
## Expected Keys
|
||||
|
||||
- `DATABASE_URL`
|
||||
- `IHP_SESSION_SECRET`
|
||||
- `IHP_BASEURL`
|
||||
- `PORT`
|
||||
- `IHP_ENV`
|
||||
Reference in New Issue
Block a user