1.9 KiB
inter-hub Runtime Secret
inter-hub.env.sops.yaml is the durable source for the production
inter-hub/inter-hub-env Kubernetes Secret. The file is encrypted with the
shared Railiance age recipient declared in the repo root .sops.yaml.
Do not commit plaintext secret material. This directory ignores plaintext files
by default; only *.sops.yaml, examples, docs, and helper scripts are tracked.
Create Or Refresh
Use an attended operator shell with kubectl, sops, and access to the shared
Railiance age identity:
tmp="$(mktemp)"
trap 'rm -f "$tmp"' EXIT
kubectl -n inter-hub get secret inter-hub-env -o json \
| python3 deploy/railiance/secrets/k8s-secret-json-to-sops-input.py \
> "$tmp"
sops --encrypt \
--age age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 \
"$tmp" > deploy/railiance/secrets/inter-hub.env.sops.yaml
Review only non-secret metadata before committing:
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
| sed -n '1,8p'
Apply
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
| kubectl apply -f -
kubectl rollout restart deployment/inter-hub -n inter-hub
kubectl rollout status deployment/inter-hub -n inter-hub
Recovery Drill
After the custody-backed age identity is unlocked, run:
make recovery-drill
If sops is not on PATH, pass it explicitly:
SOPS_BIN=/path/to/sops make recovery-drill
If the age identity is not in the default SOPS location, pass only the key-file path, not the key contents:
SOPS_AGE_KEY_FILE=/path/to/custody-backed/age/keys.txt make recovery-drill
The drill decrypts the committed SOPS file in memory, checks the expected Kubernetes Secret metadata and required key names, and prints timestamped PASS/FAIL evidence without printing secret values.
Expected Keys
DATABASE_URLIHP_SESSION_SECRETIHP_BASEURLPORTIHP_ENV