inter-hub.env.sops.yaml is the durable source for the production inter-hub/inter-hub-env Kubernetes Secret. The file is encrypted with the shared Railiance age recipient declared in the repo root .sops.yaml.

Do not commit plaintext secret material. This directory ignores plaintext files by default; only *.sops.yaml, examples, docs, and helper scripts are tracked.

Create Or Refresh

Use an attended operator shell with kubectl, sops, and access to the shared Railiance age identity:

tmp="$(mktemp)"
trap 'rm -f "$tmp"' EXIT

kubectl -n inter-hub get secret inter-hub-env -o json \
  | python3 deploy/railiance/secrets/k8s-secret-json-to-sops-input.py \
  > "$tmp"

sops --encrypt \
  --age age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 \
  "$tmp" > deploy/railiance/secrets/inter-hub.env.sops.yaml

Review only non-secret metadata before committing:

sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
  | sed -n '1,8p'

Apply

sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
  | kubectl apply -f -

kubectl rollout restart deployment/inter-hub -n inter-hub
kubectl rollout status deployment/inter-hub -n inter-hub

Expected Keys

DATABASE_URL
IHP_SESSION_SECRET
IHP_BASEURL
PORT
IHP_ENV