generated from coulomb/repo-seed
52 lines
1.3 KiB
Markdown
52 lines
1.3 KiB
Markdown
# inter-hub Runtime Secret
|
|
|
|
`inter-hub.env.sops.yaml` is the durable source for the production
|
|
`inter-hub/inter-hub-env` Kubernetes Secret. The file is encrypted with the
|
|
shared Railiance age recipient declared in the repo root `.sops.yaml`.
|
|
|
|
Do not commit plaintext secret material. This directory ignores plaintext files
|
|
by default; only `*.sops.yaml`, examples, docs, and helper scripts are tracked.
|
|
|
|
## Create Or Refresh
|
|
|
|
Use an attended operator shell with `kubectl`, `sops`, and access to the shared
|
|
Railiance age identity:
|
|
|
|
```bash
|
|
tmp="$(mktemp)"
|
|
trap 'rm -f "$tmp"' EXIT
|
|
|
|
kubectl -n inter-hub get secret inter-hub-env -o json \
|
|
| python3 deploy/railiance/secrets/k8s-secret-json-to-sops-input.py \
|
|
> "$tmp"
|
|
|
|
sops --encrypt \
|
|
--age age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 \
|
|
"$tmp" > deploy/railiance/secrets/inter-hub.env.sops.yaml
|
|
```
|
|
|
|
Review only non-secret metadata before committing:
|
|
|
|
```bash
|
|
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
|
|
| sed -n '1,8p'
|
|
```
|
|
|
|
## Apply
|
|
|
|
```bash
|
|
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
|
|
| kubectl apply -f -
|
|
|
|
kubectl rollout restart deployment/inter-hub -n inter-hub
|
|
kubectl rollout status deployment/inter-hub -n inter-hub
|
|
```
|
|
|
|
## Expected Keys
|
|
|
|
- `DATABASE_URL`
|
|
- `IHP_SESSION_SECRET`
|
|
- `IHP_BASEURL`
|
|
- `PORT`
|
|
- `IHP_ENV`
|