Add sealed secrets policy and kubeseal to tools
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -54,6 +54,15 @@ When you need an infrastructure change:
|
||||
- **Headlamp**: Production Headlamp runs in `kube-system`. Development/testing Headlamp instances go in `privilegedescalation-dev`. Never deploy test plugins to the production Headlamp in `kube-system`.
|
||||
- If you need a production infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra).
|
||||
|
||||
## Kubernetes Secrets
|
||||
|
||||
All Kubernetes secrets MUST be managed as **SealedSecrets** (Bitnami Sealed Secrets). Never commit plaintext Kubernetes `Secret` manifests to any repo. Never use `kubectl create secret` in production.
|
||||
|
||||
- Use `kubeseal` to encrypt secrets against the cluster's public certificate
|
||||
- Commit the resulting `SealedSecret` resource to the org infra repo (`privilegedescalation/infra`)
|
||||
- The Sealed Secrets controller decrypts them in-cluster at deploy time
|
||||
- If `kubeseal` is not available, install it: `curl -sL https://github.com/bitnami-labs/sealed-secrets/releases/latest/download/kubeseal-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed 's/x86_64/amd64/') -o /usr/local/bin/kubeseal && chmod +x /usr/local/bin/kubeseal`
|
||||
|
||||
## Git Workflow
|
||||
|
||||
- All changes go through feature branches and PRs. Never push directly to main.
|
||||
|
||||
@@ -26,6 +26,7 @@ Auto-injected env vars:
|
||||
| `python3` | Python scripting |
|
||||
| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
|
||||
| `kubectl` | Kubernetes CLI — read-only cluster-wide, read-write in `privilegedescalation` and `privilegedescalation-dev` |
|
||||
| `kubeseal` | Seal Kubernetes secrets for safe git storage (Bitnami Sealed Secrets) |
|
||||
|
||||
## Repos
|
||||
|
||||
|
||||
Reference in New Issue
Block a user