forgejo_admin/pal-e-platform
1
0
Fork 0
Code Issues 33 Pull requests Projects Releases Packages Wiki Activity Actions

Salt Phase 2b: GPG encryption + secret migration #3

New issue
Closed
opened 2026-02-27 19:13:47 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-02-27 19:13:47 +00:00
Owner
Copy link

Plan

plan-2026-02-26-salt-host-management — Phase 2b

Repo

pal-e-platform — the repo where the code change happens

User Story

As a platform operator
I need secrets encrypted at rest in the repo and decrypted on demand by Salt
So that plaintext secrets in ~/secrets/ are eliminated and the platform has a proper trust chain

Acceptance Criteria

When I run salt-call pillar.items
Then all 20 platform secrets are decrypted from GPG-encrypted pillar

When I run make tofu-plan
Then secrets are auto-rendered from pillar and Terraform shows "No changes"

Additional Information

  • GPG key: RSA 4096, Salt Master (pal-e-platform) <salt@pal-e.local>, fingerprint EE61A629AA7138A75AEF783481A03D1CF874DC90
  • 3 source files migrated: pal-e-platform/secrets.env, pal-e-services/secrets.env, pal-e-services/forgejo.env
  • Age keypair generated for future SOPS use (Kustomize plan dependency)
  • k3s.tfvars replaced by secrets.auto.tfvars (rendered from pillar) + variable defaults
  • minio_root_password discovered in k3s.tfvars but missing from secrets.env — added to pillar
  • Docs: issue-pal-e-platform-salt-phase-2b-gpg-secrets in pal-e-docs

Checklist

  • GPG keypair generated and tested
  • Salt GPG renderer configured
  • All 3 secret files migrated to encrypted pillar
  • Age keypair generated and stored in encrypted pillar
  • Secret registry created
  • Makefile tofu-secrets target wired
  • make tofu-plan shows "No changes"
  • PR opened

Related

  • pal-e-platform — project
  • plan-2026-02-26-salt-host-management — parent plan
  • plan-2026-02-26-kustomize-service-bases — depends on age keypair
### Plan `plan-2026-02-26-salt-host-management` — Phase 2b ### Repo `pal-e-platform` — the repo where the code change happens ### User Story As a platform operator I need secrets encrypted at rest in the repo and decrypted on demand by Salt So that plaintext secrets in ~/secrets/ are eliminated and the platform has a proper trust chain ### Acceptance Criteria When I run `salt-call pillar.items` Then all 20 platform secrets are decrypted from GPG-encrypted pillar When I run `make tofu-plan` Then secrets are auto-rendered from pillar and Terraform shows "No changes" ### Additional Information - GPG key: RSA 4096, `Salt Master (pal-e-platform) <salt@pal-e.local>`, fingerprint `EE61A629AA7138A75AEF783481A03D1CF874DC90` - 3 source files migrated: pal-e-platform/secrets.env, pal-e-services/secrets.env, pal-e-services/forgejo.env - Age keypair generated for future SOPS use (Kustomize plan dependency) - k3s.tfvars replaced by secrets.auto.tfvars (rendered from pillar) + variable defaults - minio_root_password discovered in k3s.tfvars but missing from secrets.env — added to pillar - Docs: `issue-pal-e-platform-salt-phase-2b-gpg-secrets` in pal-e-docs ### Checklist - [x] GPG keypair generated and tested - [x] Salt GPG renderer configured - [x] All 3 secret files migrated to encrypted pillar - [x] Age keypair generated and stored in encrypted pillar - [x] Secret registry created - [ ] Makefile tofu-secrets target wired - [ ] make tofu-plan shows "No changes" - [ ] PR opened ### Related - `pal-e-platform` — project - `plan-2026-02-26-salt-host-management` — parent plan - `plan-2026-02-26-kustomize-service-bases` — depends on age keypair
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#3
No description provided.