chore(deploy): add encrypted runtime secret source [skip ci]

This commit is contained in:
2026-06-14 17:58:11 +02:00
parent c2009b300e
commit d93185269b
2 changed files with 40 additions and 5 deletions

View File

@@ -4,7 +4,7 @@ type: workplan
title: "Railiance01 Deployment — Production Operations Scaffold"
domain: inter_hub
repo: inter-hub
status: active
status: finished
owner: custodian
topic_slug: inter_hub
created: "2026-04-29"
@@ -217,7 +217,7 @@ that database through the `inter-hub-env` Kubernetes Secret.
```task
id: IHUB-WP-0018-T05
status: in_progress
status: done
priority: high
state_hub_task_id: "926f82d1-15cd-425d-8a41-3d6b51c07f0b"
```
@@ -256,9 +256,17 @@ and related runtime env is committed and wired into the deploy path.
**Progress note (2026-06-14):** Added repo root `.sops.yaml`, plaintext
guardrails under `deploy/railiance/secrets/`, an example Secret manifest, and
`k8s-secret-json-to-sops-input.py` to convert the live Kubernetes Secret into a
SOPS-ready manifest without printing values. This remains in progress because
`deploy/railiance/secrets/inter-hub.env.sops.yaml` is not committed yet; local
`sops` tooling was not available during this session.
SOPS-ready manifest without printing values. At that point the encrypted source
file was still pending because local `sops` tooling was not available.
**Completion note (2026-06-14):** Created
`deploy/railiance/secrets/inter-hub.env.sops.yaml` from the live
`inter-hub/inter-hub-env` Kubernetes Secret using temporary `sops` v3.13.1 and
the shared Railiance age recipient. Verified the file is SOPS-encrypted, parses
as YAML, leaves only non-secret metadata reviewable, and does not contain the
checked plaintext runtime markers. Decryption/apply verification remains a
custody-backed operator capability because the private age identity is not
present in the normal workstation or haskelseed shell.
### R6 — Helm chart in railiance-apps