inter-hub/deploy/railiance/secrets/README.md

# inter-hub Runtime Secret

`inter-hub.env.sops.yaml` is the durable source for the production
`inter-hub/inter-hub-env` Kubernetes Secret. The file is encrypted with the
shared Railiance age recipient declared in the repo root `.sops.yaml`.

Do not commit plaintext secret material. This directory ignores plaintext files
by default; only `*.sops.yaml`, examples, docs, and helper scripts are tracked.

## Create Or Refresh

Use an attended operator shell with `kubectl`, `sops`, and access to the shared
Railiance age identity:

```bash
tmp="$(mktemp)"
trap 'rm -f "$tmp"' EXIT

kubectl -n inter-hub get secret inter-hub-env -o json \
  | python3 deploy/railiance/secrets/k8s-secret-json-to-sops-input.py \
  > "$tmp"

sops --encrypt \
  --age age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 \
  "$tmp" > deploy/railiance/secrets/inter-hub.env.sops.yaml
```

Review only non-secret metadata before committing:

```bash
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
  | sed -n '1,8p'
```

## Apply

```bash
sops -d deploy/railiance/secrets/inter-hub.env.sops.yaml \
  | kubectl apply -f -

kubectl rollout restart deployment/inter-hub -n inter-hub
kubectl rollout status deployment/inter-hub -n inter-hub
```

## Recovery Drill

After the custody-backed age identity is unlocked, run:

```bash
make recovery-drill
```

If `sops` is not on `PATH`, pass it explicitly:

```bash
SOPS_BIN=/path/to/sops make recovery-drill
```

If the age identity is not in the default SOPS location, pass only the key-file
path, not the key contents:

```bash
SOPS_AGE_KEY_FILE=/path/to/custody-backed/age/keys.txt make recovery-drill
```

The drill decrypts the committed SOPS file in memory, checks the expected
Kubernetes Secret metadata and required key names, and prints timestamped
PASS/FAIL evidence without printing secret values.

## Expected Keys

- `DATABASE_URL`
- `IHP_SESSION_SECRET`
- `IHP_BASEURL`
- `PORT`
- `IHP_ENV`