feat(secrets): encrypt gitea Helm values with SOPS (age)
Some checks failed
railiance-tests / smoke (push) Has been cancelled
Some checks failed
railiance-tests / smoke (push) Has been cancelled
Add .sops.yaml policy targeting *.sops.yaml files using the shared age key from railiance-infra. Migrate helm/gitea-values.yaml to encrypted helm/gitea-values.sops.yaml. Pins all postgresql-ha passwords (postgresql, postgres, repmgr, pgpool, pgpool-admin, sr-check) so helm upgrade never regenerates secrets and breaks the running cluster. Fixes WP-0003 T01. Usage: helm upgrade gitea gitea/gitea -n default -f <(sops -d helm/gitea-values.sops.yaml) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
4
.gitignore
vendored
4
.gitignore
vendored
@@ -72,6 +72,10 @@ htmlcov/
|
||||
# Backup dropoff links (contain upload tokens)
|
||||
*backup-dropoff-link*
|
||||
|
||||
# SOPS: never commit decrypted values files
|
||||
# Encrypted versions (*.sops.yaml) are safe to commit
|
||||
helm/*-values.yaml
|
||||
|
||||
# IDE configs
|
||||
.vscode/
|
||||
.idea/
|
||||
|
||||
Reference in New Issue
Block a user