chore(deploy): add custody recovery drill target [skip ci]

2026-06-14 18:33:50 +02:00
parent 1a7e6afabf
commit e9a9eaa607
4 changed files with 128 additions and 2 deletions
--- a/deploy/railiance/secrets/README.md
+++ b/deploy/railiance/secrets/README.md
@@ -42,6 +42,31 @@ kubectl rollout restart deployment/inter-hub -n inter-hub
 kubectl rollout status deployment/inter-hub -n inter-hub
 ```

+## Recovery Drill
+
+After the custody-backed age identity is unlocked, run:
+
+```bash
+make recovery-drill
+```
+
+If `sops` is not on `PATH`, pass it explicitly:
+
+```bash
+SOPS_BIN=/path/to/sops make recovery-drill
+```
+
+If the age identity is not in the default SOPS location, pass only the key-file
+path, not the key contents:
+
+```bash
+SOPS_AGE_KEY_FILE=/path/to/custody-backed/age/keys.txt make recovery-drill
+```
+
+The drill decrypts the committed SOPS file in memory, checks the expected
+Kubernetes Secret metadata and required key names, and prints timestamped
+PASS/FAIL evidence without printing secret values.
+
 ## Expected Keys

 - `DATABASE_URL`