From d93185269ba24e85d33b58ae695a913508fe9153 Mon Sep 17 00:00:00 2001 From: tegwick Date: Sun, 14 Jun 2026 17:58:11 +0200 Subject: [PATCH] chore(deploy): add encrypted runtime secret source [skip ci] --- .../railiance/secrets/inter-hub.env.sops.yaml | 27 +++++++++++++++++++ .../IHUB-WP-0018-railiance01-deployment.md | 18 +++++++++---- 2 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 deploy/railiance/secrets/inter-hub.env.sops.yaml diff --git a/deploy/railiance/secrets/inter-hub.env.sops.yaml b/deploy/railiance/secrets/inter-hub.env.sops.yaml new file mode 100644 index 0000000..e3a0250 --- /dev/null +++ b/deploy/railiance/secrets/inter-hub.env.sops.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: inter-hub-env + namespace: inter-hub +type: Opaque +stringData: + DATABASE_URL: ENC[AES256_GCM,data:uMryx592YJ4Puc1Dg3msJ251RGWW34zAsmc4oIhFZ5IrloOLOzKgBkzpYCnt0v6X5iQSWLayBbCI1clfFf6W5vLFvyWBNzfWzlc66sFiU/IG0qJZZIIWNnWUZmTqvN31gtSXjTYQM0lvDZBbSRjLwRRchMaG/LCrhUo+akhV3QMXWvpuDHnC82b0OaOwZRCnNM4=,iv:U9VdgQpZY+5OI5KaTTFvSejiibaH03RqTaBruKTgups=,tag:zWWVVB/zXvio6z8jzt8FYA==,type:str] + IHP_BASEURL: ENC[AES256_GCM,data:GrIWPkoT3OroUgbZiLDsoBH6QgKbjROFkYU=,iv:Ky1ysaY6YQ0WRDywCG+WLys//8N4be2Lw8a0jJr7ovo=,tag:7+lyTiXfop+Q7CW66frWuw==,type:str] + IHP_ENV: ENC[AES256_GCM,data:q4SFghcGM7Yodg==,iv:Vd1Dq+AKcxKayChG4PLeyTQvFpU7KEbGg/FpTqJzTps=,tag:yR+7AjKoWv/TrLvsQqRc8A==,type:str] + IHP_SESSION_SECRET: ENC[AES256_GCM,data:vjhRzB6xXw6m5+9zUCMXAhJcBk7XZJCsA0GwqN+UvottYL/XEFKFPkeFco2YzxCnYZ5B1bdaFgK2eFVXs0qgrQ==,iv:JE9dEZvpldqreBufrvj6Keb7VFdXcJHhuZgMfeVsc1A=,tag:aWM9HGsoRD0z/LYLNoORJg==,type:str] + PORT: ENC[AES256_GCM,data:4KBUgA==,iv:IPYTKvQVFlxy53OIJiyMnnM7LDN2qqdrn2VxWDbUaa8=,tag:J5a1jUcRi004FakTp7qEHA==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNHZxdHFnMjRWOE5DMUhB + NlgzSFUrT2FCUjR1cy8vdG9mcHRLcXcwT0VRCnl0cURjWUMyNTJSY1hYK3N4ZHRV + bTJqQjR6SDNQOTJTb0ZmSGdWSXc5YVUKLS0tIDBvQUowR0ZLMDI5YUIvOEU2SkFS + SlJ3TEJqeWx2MzlnanFWajFJaWQ0Sm8KglhHEIOrJrbWbQS0mUI2fGGmdkt9GUVr + dBSr0HPa+DsNwStM2n6EJHADcF1+3CS2HP1JS0m58QkNfuJiF1EIZw== + -----END AGE ENCRYPTED FILE----- + recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 + encrypted_regex: ^(DATABASE_URL|IHP_SESSION_SECRET|IHP_BASEURL|PORT|IHP_ENV)$ + lastmodified: "2026-06-14T15:54:36Z" + mac: ENC[AES256_GCM,data:Z5r73+ihZB1BUyFcC3E97G6/rQdcmDdujoUCNhbU8H2tLD3TlF8619nMt2KfOUiygiGdy+luBJYu9mgbc7zimR163E/JJjOLIRBErXQsYZOHYS2BL62xcNIGeII56UpJlnfVICFNtKYzmxmDI/ZFDMbZa1Z6q29SfUjY7WdnvjE=,iv:Frk1qAkfufNN0WHb9X0jyNureILOc/Ww0CbON2XArEs=,tag:vZ9ronrfa1Pt+f//MOsw2Q==,type:str] + version: 3.13.1 diff --git a/workplans/IHUB-WP-0018-railiance01-deployment.md b/workplans/IHUB-WP-0018-railiance01-deployment.md index 099192a..0bbd2e7 100644 --- a/workplans/IHUB-WP-0018-railiance01-deployment.md +++ b/workplans/IHUB-WP-0018-railiance01-deployment.md @@ -4,7 +4,7 @@ type: workplan title: "Railiance01 Deployment — Production Operations Scaffold" domain: inter_hub repo: inter-hub -status: active +status: finished owner: custodian topic_slug: inter_hub created: "2026-04-29" @@ -217,7 +217,7 @@ that database through the `inter-hub-env` Kubernetes Secret. ```task id: IHUB-WP-0018-T05 -status: in_progress +status: done priority: high state_hub_task_id: "926f82d1-15cd-425d-8a41-3d6b51c07f0b" ``` @@ -256,9 +256,17 @@ and related runtime env is committed and wired into the deploy path. **Progress note (2026-06-14):** Added repo root `.sops.yaml`, plaintext guardrails under `deploy/railiance/secrets/`, an example Secret manifest, and `k8s-secret-json-to-sops-input.py` to convert the live Kubernetes Secret into a -SOPS-ready manifest without printing values. This remains in progress because -`deploy/railiance/secrets/inter-hub.env.sops.yaml` is not committed yet; local -`sops` tooling was not available during this session. +SOPS-ready manifest without printing values. At that point the encrypted source +file was still pending because local `sops` tooling was not available. + +**Completion note (2026-06-14):** Created +`deploy/railiance/secrets/inter-hub.env.sops.yaml` from the live +`inter-hub/inter-hub-env` Kubernetes Secret using temporary `sops` v3.13.1 and +the shared Railiance age recipient. Verified the file is SOPS-encrypted, parses +as YAML, leaves only non-secret metadata reviewable, and does not contain the +checked plaintext runtime markers. Decryption/apply verification remains a +custody-backed operator capability because the private age identity is not +present in the normal workstation or haskelseed shell. ### R6 — Helm chart in railiance-apps