# inter-hub Runtime Secret

`inter-hub.env.sops.yaml` is the durable source for the production
`inter-hub/inter-hub-env` Kubernetes Secret. The file is encrypted with the
shared Railiance age recipient declared in the repo root `.sops.yaml`.

Do not commit plaintext secret material. This directory ignores plaintext files
by default; only `*.sops.yaml`, examples, docs, and helper scripts are tracked.

## Create Or Refresh

Use an attended operator shell with `kubectl`, `sops`, and access to the shared
Railiance age identity:

```bash
tmp="$(mktemp)"
trap 'rm -f "$tmp"' EXIT

kubectl -n inter-hub get secret inter-hub-env -o json \
  | python3 deploy/railiance/secrets/k8s-secret-json-to-sops-input.py \
  > "$tmp"

sops --encrypt \
  --age age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 \
  "$tmp" > deploy/railiance/secrets/inter-hub.env.sops.yaml
```

Review only non-secret metadata before committing:

```bash
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
  | sed -n '1,8p'
```

## Apply

```bash
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
  | kubectl apply -f -

kubectl rollout restart deployment/inter-hub -n inter-hub
kubectl rollout status deployment/inter-hub -n inter-hub
```

## Expected Keys

- `DATABASE_URL`
- `IHP_SESSION_SECRET`
- `IHP_BASEURL`
- `PORT`
- `IHP_ENV`