feat(secrets): encrypt gitea Helm values with SOPS (age)
Some checks failed
railiance-tests / smoke (push) Has been cancelled
Some checks failed
railiance-tests / smoke (push) Has been cancelled
Add .sops.yaml policy targeting *.sops.yaml files using the shared age key from railiance-infra. Migrate helm/gitea-values.yaml to encrypted helm/gitea-values.sops.yaml. Pins all postgresql-ha passwords (postgresql, postgres, repmgr, pgpool, pgpool-admin, sr-check) so helm upgrade never regenerates secrets and breaks the running cluster. Fixes WP-0003 T01. Usage: helm upgrade gitea gitea/gitea -n default -f <(sops -d helm/gitea-values.sops.yaml) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
4
.gitignore
vendored
4
.gitignore
vendored
@@ -72,6 +72,10 @@ htmlcov/
|
||||
# Backup dropoff links (contain upload tokens)
|
||||
*backup-dropoff-link*
|
||||
|
||||
# SOPS: never commit decrypted values files
|
||||
# Encrypted versions (*.sops.yaml) are safe to commit
|
||||
helm/*-values.yaml
|
||||
|
||||
# IDE configs
|
||||
.vscode/
|
||||
.idea/
|
||||
|
||||
10
.sops.yaml
Normal file
10
.sops.yaml
Normal file
@@ -0,0 +1,10 @@
|
||||
# SOPS encryption policy for railiance-cluster
|
||||
# Encrypts any file matching *.sops.yaml using the shared age key.
|
||||
# Decrypt: sops -d helm/gitea-values.sops.yaml
|
||||
# Use with helm: helm upgrade gitea gitea/gitea -n default -f <(sops -d helm/gitea-values.sops.yaml)
|
||||
|
||||
creation_rules:
|
||||
- path_regex: \.sops\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
|
||||
46
helm/gitea-values.sops.yaml
Normal file
46
helm/gitea-values.sops.yaml
Normal file
@@ -0,0 +1,46 @@
|
||||
#ENC[AES256_GCM,data:RznLDXAkDpHVhaXHZrlMYo6z8+cZyTjRMkku6XrF2Zjzulkt+Ve/8Q==,iv:EHVhhpSUcDGR1ARNfNbSdJ0Gjjq6CyEfXMU+cAnIgc4=,tag:0OWESOcslvCB5wHH6IWE6g==,type:comment]
|
||||
#ENC[AES256_GCM,data:RJvbPFrBALVhJm5+rkcdgTqE9G59vRnfjddwXU+G+B3u1saEttf98sTXV/Mim/FK6gAilvSr,iv:h1QLn5NthfdVAayrpvqcPzTXV1sEQATNREAHLRT6c1Y=,tag:32UpAGaIyDbFnnAa3zveAQ==,type:comment]
|
||||
#
|
||||
#ENC[AES256_GCM,data:mzm+3mIPOZBEuFAZUppd3i2UnJ94mP+pXGVLdkfZ8SOTDgnw6dJa1A==,iv:cO/dj0wp9MlEUUcYU4qOGG1qJ2LWHHgRGoYii7aKMMg=,tag:4jiRnvmaRa3nDoSJ2W6sWw==,type:comment]
|
||||
#ENC[AES256_GCM,data:h7vlbkUu+TMbRU83E+nx5F/4FCcovoIPdgRmD4/QVUFPimDGxZ6CtnhJbYQjVw==,iv:kXozUXpTdhy+MPk2y956Pqofww/iDVLUE/bSH0+mHaU=,tag:LsB6Ijmw/sT0d3S+rMbAsQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:Uw46ZrbHN5fxwHV/mU9t+z2xYkRE0gUxmlzRfzPVt31qH7SwxvVvcSMRIw==,iv:/nnvTn3ABdKBtCRytjg73T4jl3w+8JRZIaSsw7l9Iyk=,tag:Bn4WRZDMj6lc0o8Z6d/ZXQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:6871AIBTjtOWM5CCXlo/MDCYMhBdl4kVCQnxhlW7cyZ6Ucy+0Tg3yn5LO28DDQl2y8f/2ACfttT4KHiGqe7bhg0a0DouN1NLRmXlxNUAADo88FqW33C41EBJ7v50ng==,iv:qOjN0OBPaNNBC33CXwGUPVNdk+eerCa5mOdkcqwQKXM=,tag:U0xLzSBcAR4ILRQHGaoWLg==,type:comment]
|
||||
#
|
||||
#ENC[AES256_GCM,data:FRaxggcnSudMRfPAMH3nzX04cwkWQ4LhyGk0qMmH5tiSPYMnVoedoLN6TEnk5skCg6UmOaV2jcJo36zpkKoQBf6u,iv:CQoIAYQO09d+jqsvgycCFHZme9SFhgGWaut3JjeEQ5w=,tag:0i56ycYqWuKMOcjentGplw==,type:comment]
|
||||
#ENC[AES256_GCM,data:weGb36lC8sz19REjFOI8EagSEnDisNSHteSr+SZmTWAbfxnUk+/G4d5q/KMWHS+Y0SimGbufwDuvj0AiwIl0GZ/46Lqfdg==,iv:IIZCqRFIEp0IxGQkv5aTknJyYA3DG7vxtu6CGhrUh0k=,tag:/X3OGfgurgiNsz1vf6oPxw==,type:comment]
|
||||
gitea:
|
||||
config:
|
||||
server:
|
||||
DOMAIN: ENC[AES256_GCM,data:R2HrjW5sW0nvDNIWd0G00ReltOA=,iv:CWZ+Fy+y/hIKNzqCTstaGFpgHgDJvEe6mF0Q7QKbvmE=,tag:+oA9F7xTgaSXLIPmYNkY5A==,type:str]
|
||||
ROOT_URL: ENC[AES256_GCM,data:li2QBHIkm3hVSqGbzuBG2os8qx7tHuiyOttn,iv:2q0LXgp+bhv7t4FG1kBNNlq1ZqSpIpUf7e0hdKhJosg=,tag:h+Mu0/jo/pb78qOWU7W0TQ==,type:str]
|
||||
SSH_DOMAIN: ENC[AES256_GCM,data:i0Vb19m1fbr4TluqQxjFg73X0eA=,iv:ff2Nhmpdc+S8lTye87fj0i5MFyIl4Mhq8+awknKlbTQ=,tag:lPGppk9JT7wR5thdwlmjTQ==,type:str]
|
||||
postgresql-ha:
|
||||
postgresql:
|
||||
#ENC[AES256_GCM,data:kRJ/o1D24opEpW87UbrSWzGjOAgRD0GTMrP9wI2x9xY=,iv:hepYzpp2stw6zjHpS2vr84rZrgifhEBK/UovRUWoV6c=,tag:XDwJc1rbI2F9gEr6o5tzgw==,type:comment]
|
||||
password: ENC[AES256_GCM,data:AkkKp+w=,iv:juctW3iHu67VJ8aTOW0XmqCyzr/mXnQ6g4/1G+i+2rY=,tag:LCfo9IyhBMpqEdtMy/iNaA==,type:str]
|
||||
#ENC[AES256_GCM,data:w8IVl9bCaSuivbgZ0XGH9NiM6lb3j7x9WX/hnIawG4ka6ayzkE/J3hf3dHuODQ==,iv:SbtCWprptkkCu8GIOQeh6gAYLuD+T1dyxZE1BOOLMns=,tag:Fa00ndoNxRIcSXDZFaH08Q==,type:comment]
|
||||
postgresPassword: ENC[AES256_GCM,data:2BxdJ++kXX3t,iv:sARgDgLtsKve/KnqMxH2T8bTtyVZDtCWD8/EHIoXkqs=,tag:AJAkFd8EM+zEzd8YgRZlng==,type:str]
|
||||
#ENC[AES256_GCM,data:xz+TDvCisDuBzo7xIsJXUanl1yELabUonk8dRUg1hoaU3EYIJQ==,iv:cWfTjhwfaUNLralnQRe1lmx8lcyxofXPrZU/LZEcQfc=,tag:jUukbPltv6NUOQKRCSoORw==,type:comment]
|
||||
repmgrPassword: ENC[AES256_GCM,data:FC5NW9Jnm1CX,iv:/c1g/luv39LCBDI6Ayhw7O5SzOqgR5RFLtAouuHFWvQ=,tag:wP7xx0ga8i3lzVyVm2iiOQ==,type:str]
|
||||
#ENC[AES256_GCM,data:3w4zrmvevybTsZzr5wgwF3h1UMJuizBQ0+wjyq++X899LCp0ild6YOcPR2KiOvn5zNitG7RW8LpwyWkw+hzK,iv:HnJl+UhEu/M9HeLy2ws/437lMC1ZjTlbEgMnEpG0FY4=,tag:Nxxj4q7eOh0+zmVLhXArcQ==,type:comment]
|
||||
pgpoolPassword: ENC[AES256_GCM,data:MF8mAi9UpHwh,iv:TYvqtUtqFH+JcoHWfUk3SIrh/MsmEitRoGn4FWXyjNE=,tag:bJeGbXI7V8Vcn6EoEfzzHQ==,type:str]
|
||||
pgpool:
|
||||
#ENC[AES256_GCM,data:mwdpjpgs38LDNg0BQukw5t61RN5EHbvbGgDquuMezXCviYMViA==,iv:9QLGDdAAcUOMJAp40cOBC3qN3aBeuXvcj76UWbnazq8=,tag:kRW1CVpoaK7sXOHU4uHpcw==,type:comment]
|
||||
adminPassword: ENC[AES256_GCM,data:9aheOLxvanH9,iv:q7CEnryzyh5zVJHqJ2veAVr9lRVNFPwM6ownxmI12Wg=,tag:EFOOxW7LPLCRJxuhwreo1A==,type:str]
|
||||
#ENC[AES256_GCM,data:FAZHI4BENIuUyILlBh4m/vluaursEkO/yWuKp5mPpYnxYy3vI0Ichehu1o8405ENp1UjyN1bEA==,iv:CBjvgAF4RIEb0wpD+NV1oXAZCZof6X94S0Ny7JrKy5Q=,tag:ytSlhX8knkwKouX5wSO31A==,type:comment]
|
||||
srCheckPassword: ENC[AES256_GCM,data:S5tluU9DfVKV,iv:5pdvQcnebpoBaQq422PTeIdvQKc0AJ3M+PyapnSe0hM=,tag:/sHw4GoqPOiOAnDVqnizqQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eCtCczBraGlibTRpVTI5
|
||||
WGNVV0N3c2NZZ2dmL1lQTXBHcGtJODlTR2tFCnFmOTBCaDhOYW4raFg1WkJhYUxN
|
||||
Q1Y0cnNkYUp6T0ZNUVNUY1RLNkZicEkKLS0tIGZDRkg0TmdkTGNvd1RQTWVacXRs
|
||||
R0RHWml2LzRHcmpDUGRnY1Bwa3BOeWMKN52lakQFLMBflYC/KOTXLECJb6qlTVNG
|
||||
xFlPrgVhMaF2dwTje/5QsSAOuvwQ4HJ7ot3KsUkQAhheqYeiOAxdPg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-03-10T13:36:49Z"
|
||||
mac: ENC[AES256_GCM,data:3D5CtE5lcEc20pH2iyLF3UaPRqlp3BFF1xbSjVtv6R/YYnnemjBcDKT8kbMWb5mGCGOYlJ7AE+ewmix3KdY1FZnNENRSXkTSMqlu8luRzXNq+QuXSA7ofAtC24VMiHGnCSgY+rxSbbKLC1dcdF4KblcAmKp5tv0/8XyzSWkswAI=,iv:xQ/OotVy329F150A8HEeUgf0l8iZB3LJm9/zm/b+SJg=,tag:pxotV1XcTJfgd3HGdS/eKQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
@@ -1,19 +0,0 @@
|
||||
# Gitea Helm values — railiance-cluster
|
||||
# Chart: gitea v12.2.0 / postgresql-ha subchart v16.2.2
|
||||
#
|
||||
# SECURITY: This file contains sensitive values.
|
||||
# Encrypt before committing: sops --encrypt --in-place helm/gitea-values.yaml
|
||||
# Usage: helm upgrade gitea gitea/gitea --values helm/gitea-values.yaml
|
||||
#
|
||||
# To find current values on the cluster:
|
||||
# sudo k3s kubectl get secret -n default gitea-postgresql-ha-postgresql -o yaml
|
||||
|
||||
postgresql-ha:
|
||||
pgpool:
|
||||
# FIX for WP-0003 / D3:
|
||||
# The Bitnami postgresql-ha subchart (v16.2.2) does not write pgpool-password
|
||||
# into the postgresql secret automatically. Without this key, pgpool enters
|
||||
# CrashLoopBackOff on any pod restart (including HA failover).
|
||||
# Value must match the sr-check-password used during initial deployment.
|
||||
# Decode current value: kubectl get secret gitea-postgresql-ha-postgresql -o jsonpath='{.data.pgpool-password}' | base64 -d
|
||||
adminPassword: "REPLACE_WITH_PGPOOL_ADMIN_PASSWORD"
|
||||
Reference in New Issue
Block a user