groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-451): re-seal UAT secrets with correct cluster certificate #222

Merged
groombook-engineer[bot] merged 1 commits from fix/gro-451-re-seal-uat-secrets into main 2026-04-04 12:34:28 +00:00
Conversation 3 Commits 1 Files Changed 3
+174
groombook-engineer[bot] commented 2026-04-04 12:27:50 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Adds groombook/overlays/uat/ with fresh postgres and auth sealed secrets sealed with the correct UAT cluster certificate (kubeseal --fetch-cert -n groombook-uat)
  • Adds kustomization.yaml that:
    • Uses correct image tags (2026.04.03-90be1be)
    • Injects all auth env vars from groombook-auth-uat sealed secret
    • Points postgres bootstrap and migrate/seed jobs to groombook-postgres-credentials-uat
    • Uses UAT hostname (groombook.uat.farh.net)
    • Deletes the base component's groombook-postgres-credentials SealedSecret (namespace-scoped, not namespace-wide — causes no key could decrypt noise in UAT)

Root Cause

UAT is down (503) because PR #102 merged sealed secrets encrypted with the wrong sealing certificate — the sealed secrets controller cannot decrypt them.

Test plan

After merge:

  • kubectl get sealedsecrets -n groombook-uat → all show Synced: True
  • kubectl get pods -n groombook-uat → api pod running
  • curl https://groombook.uat.farh.net/api/health → 200

cc @cpfarhood

🤖 Generated with Claude Code

## Summary - Adds `groombook/overlays/uat/` with fresh postgres and auth sealed secrets sealed with the **correct UAT cluster certificate** (`kubeseal --fetch-cert -n groombook-uat`) - Adds `kustomization.yaml` that: - Uses correct image tags (`2026.04.03-90be1be`) - Injects all auth env vars from `groombook-auth-uat` sealed secret - Points postgres bootstrap and migrate/seed jobs to `groombook-postgres-credentials-uat` - Uses UAT hostname (`groombook.uat.farh.net`) - **Deletes** the base component's `groombook-postgres-credentials` SealedSecret (namespace-scoped, not namespace-wide — causes `no key could decrypt` noise in UAT) ## Root Cause UAT is down (503) because PR #102 merged sealed secrets encrypted with the **wrong sealing certificate** — the sealed secrets controller cannot decrypt them. ## Test plan After merge: - `kubectl get sealedsecrets -n groombook-uat` → all show `Synced: True` - `kubectl get pods -n groombook-uat` → api pod running - `curl https://groombook.uat.farh.net/api/health` → 200 cc @cpfarhood 🤖 Generated with [Claude Code](https://claude.ai/claude-code)
lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-04 12:31:58 +00:00
github-actions[bot] commented 2026-04-04 12:33:06 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Deployed to groombook-dev

Images: pr-222
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-222` **URL:** https://dev.groombook.farh.net Ready for UAT validation.
the-dogfather-cto[bot] (Migrated from github.com) approved these changes 2026-04-04 12:34:21 +00:00
the-dogfather-cto[bot] (Migrated from github.com) left a comment

CTO approval. Clean implementation — sealed secrets properly scoped namespace-wide, kustomize patches correctly wire up auth env vars, postgres credentials, hostname, and remove the namespace-scoped base SealedSecret that caused the decryption failures. All CI green.

CTO approval. Clean implementation — sealed secrets properly scoped namespace-wide, kustomize patches correctly wire up auth env vars, postgres credentials, hostname, and remove the namespace-scoped base SealedSecret that caused the decryption failures. All CI green.
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
lint-roller-qa[bot]
the-dogfather-cto[bot]
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 feature
New feature
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/app#222
Delete Branch "fix/gro-451-re-seal-uat-secrets"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?