feat(secrets): encrypt gitea Helm values with SOPS (age)
Add .sops.yaml policy targeting *.sops.yaml files using the shared age key from railiance-infra. Migrate helm/gitea-values.yaml to encrypted helm/gitea-values.sops.yaml. Pins all postgresql-ha passwords (postgresql, postgres, repmgr, pgpool, pgpool-admin, sr-check) so helm upgrade never regenerates secrets and breaks the running cluster. Fixes WP-0003 T01. Usage: helm upgrade gitea gitea/gitea -n default -f <(sops -d helm/gitea-values.sops.yaml) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
660a63c674
commit
7daef079c2
4 changed files with 60 additions and 19 deletions
10
.sops.yaml
Normal file
10
.sops.yaml
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# SOPS encryption policy for railiance-cluster
|
||||
# Encrypts any file matching *.sops.yaml using the shared age key.
|
||||
# Decrypt: sops -d helm/gitea-values.sops.yaml
|
||||
# Use with helm: helm upgrade gitea gitea/gitea -n default -f <(sops -d helm/gitea-values.sops.yaml)
|
||||
|
||||
creation_rules:
|
||||
- path_regex: \.sops\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
|
||||
Loading…
Add table
Add a link
Reference in a new issue