From 66d78ef40358d20ce3a6e7cb34af13bfc133e7be Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sat, 21 Mar 2026 15:52:56 -0400 Subject: [PATCH] Add sealed secrets policy and kubeseal to tools Co-Authored-By: Claude Opus 4.6 (1M context) --- POLICIES.md | 9 +++++++++ TOOLS.md | 1 + 2 files changed, 10 insertions(+) diff --git a/POLICIES.md b/POLICIES.md index 26f6b61..8075d3a 100644 --- a/POLICIES.md +++ b/POLICIES.md @@ -54,6 +54,15 @@ When you need an infrastructure change: - **Headlamp**: Production Headlamp runs in `kube-system`. Development/testing Headlamp instances go in `privilegedescalation-dev`. Never deploy test plugins to the production Headlamp in `kube-system`. - If you need a production infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra). +## Kubernetes Secrets + +All Kubernetes secrets MUST be managed as **SealedSecrets** (Bitnami Sealed Secrets). Never commit plaintext Kubernetes `Secret` manifests to any repo. Never use `kubectl create secret` in production. + +- Use `kubeseal` to encrypt secrets against the cluster's public certificate +- Commit the resulting `SealedSecret` resource to the org infra repo (`privilegedescalation/infra`) +- The Sealed Secrets controller decrypts them in-cluster at deploy time +- If `kubeseal` is not available, install it: `curl -sL https://github.com/bitnami-labs/sealed-secrets/releases/latest/download/kubeseal-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed 's/x86_64/amd64/') -o /usr/local/bin/kubeseal && chmod +x /usr/local/bin/kubeseal` + ## Git Workflow - All changes go through feature branches and PRs. Never push directly to main. diff --git a/TOOLS.md b/TOOLS.md index 3223b40..3cc3486 100644 --- a/TOOLS.md +++ b/TOOLS.md @@ -26,6 +26,7 @@ Auto-injected env vars: | `python3` | Python scripting | | `pnpm paperclipai` | Paperclip CLI — issue/agent operations | | `kubectl` | Kubernetes CLI — read-only cluster-wide, read-write in `privilegedescalation` and `privilegedescalation-dev` | +| `kubeseal` | Seal Kubernetes secrets for safe git storage (Bitnami Sealed Secrets) | ## Repos