Feature: SOP — Document secrets management flow and rotation runbook [DUPLICATE — already exists] #231

New issue

Open

opened 2026-03-28 19:40:02 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-28 19:40:02 +00:00

Owner

Type

Feature

Lineage

Standalone — discovered during session fixing basketball-api deployment. Env var mismatch exposed lack of documented secrets flow.

Repo

forgejo_admin/pal-e-platform (SOP note created via pal-e-docs MCP tools)

User Story

As a superadmin
I want the secrets flow documented with a rotation runbook
So that I can audit, rotate, and recover secrets without guessing which source is authoritative

Context

Secrets live in 5 locations with no single document explaining the flow:

Location	Format	Role
`~/secrets/pal-e-platform/secrets.env`	Plaintext env	Local source of truth
`salt/pillar/secrets/platform.sls`	GPG-encrypted YAML	Deployed to cluster via Salt
`terraform/secrets.auto.tfvars`	Plaintext HCL (gitignored by `*.tfvars`)	Consumed at `tofu apply`
`pal-e-deployments/overlays/*.enc.yaml`	SOPS-encrypted	ArgoCD decrypts at sync
K8s API (etcd)	Runtime secrets	Injected into pods

Note: secrets.auto.tfvars is already gitignored (root .gitignore has *.tfvars). secrets_registry.sls contains only metadata, no actual secret values.

File Targets

This ticket creates pal-e-docs content, not repo files:

New SOP note: sop-secrets-management — full flow documentation
Rotation runbook section within the SOP
Table mapping each secret to its authoritative source (using secrets_registry.sls as input)

Acceptance Criteria

SOP note documents the full secrets flow (source → encryption → deployment → runtime)
Each secret has a documented authoritative source
Rotation runbook exists (even if manual for now)
SOP linked from sop-index

Test Expectations

SOP note is queryable via get_note(slug="sop-secrets-management")

Constraints

Documentation only — no secret rotation or config changes in this ticket
Use secrets_registry.sls as the input for the secret inventory
Companion ticket for gitignore hardening: separate scope

Checklist

SOP note created
No unrelated changes

project-pal-e-platform — platform infrastructure
forgejo_admin/pal-e-deployments #69 — env var mismatch that exposed this gap
Companion: #232 (hardening ticket, TBD)

### Type Feature ### Lineage Standalone — discovered during session fixing basketball-api deployment. Env var mismatch exposed lack of documented secrets flow. ### Repo `forgejo_admin/pal-e-platform` (SOP note created via pal-e-docs MCP tools) ### User Story As a superadmin I want the secrets flow documented with a rotation runbook So that I can audit, rotate, and recover secrets without guessing which source is authoritative ### Context Secrets live in 5 locations with no single document explaining the flow: | Location | Format | Role | |----------|--------|------| | `~/secrets/pal-e-platform/secrets.env` | Plaintext env | Local source of truth | | `salt/pillar/secrets/platform.sls` | GPG-encrypted YAML | Deployed to cluster via Salt | | `terraform/secrets.auto.tfvars` | Plaintext HCL (gitignored by `*.tfvars`) | Consumed at `tofu apply` | | `pal-e-deployments/overlays/*.enc.yaml` | SOPS-encrypted | ArgoCD decrypts at sync | | K8s API (etcd) | Runtime secrets | Injected into pods | **Note:** `secrets.auto.tfvars` is already gitignored (root `.gitignore` has `*.tfvars`). `secrets_registry.sls` contains only metadata, no actual secret values. ### File Targets This ticket creates pal-e-docs content, not repo files: - New SOP note: `sop-secrets-management` — full flow documentation - Rotation runbook section within the SOP - Table mapping each secret to its authoritative source (using `secrets_registry.sls` as input) ### Acceptance Criteria - [ ] SOP note documents the full secrets flow (source → encryption → deployment → runtime) - [ ] Each secret has a documented authoritative source - [ ] Rotation runbook exists (even if manual for now) - [ ] SOP linked from sop-index ### Test Expectations - [ ] SOP note is queryable via `get_note(slug="sop-secrets-management")` ### Constraints - Documentation only — no secret rotation or config changes in this ticket - Use `secrets_registry.sls` as the input for the secret inventory - Companion ticket for gitignore hardening: separate scope ### Checklist - [ ] SOP note created - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform infrastructure - `forgejo_admin/pal-e-deployments #69` — env var mismatch that exposed this gap - Companion: #232 (hardening ticket, TBD)

forgejo_admin changed title from ~~Feature: Document secrets flow and add redundancy across salt/terraform/k8s~~ to Feature: SOP — Document secrets management flow and rotation runbook

2026-03-28 19:41:52 +00:00

forgejo_admin referenced this issue

2026-03-28 19:42:05 +00:00

Feature: Harden secrets gitignore and add tfvars.example #232

forgejo_admin changed title from ~~Feature: SOP — Document secrets management flow and rotation runbook~~ to Feature: SOP — Document secrets management flow and rotation runbook [DUPLICATE — already exists]

2026-03-28 19:49:06 +00:00