forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 38 Pull requests Projects Releases Packages Wiki Activity Actions

feat: onboard zep + LinkedIn secrets to canonical backup layer #74

New issue
Closed
opened 2026-03-15 02:12:38 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-15 02:12:38 +00:00
Owner
Copy link

Lineage

plan-pal-e-platform → Platform Hardening (secrets hygiene)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want all production secrets GPG-encrypted in the Salt pillar with registry metadata
So that the canonical backup layer is complete and auditable for all active services

Context

Six new secrets exist in plaintext backups (~/secrets/) but are not yet in the Salt pillar or registry. These are app secrets (MiroFish + Posts/LinkedIn), not platform secrets. Per the sop-secrets-management decision gate: Terraform does NOT create k8s Secrets for these values, so only Steps 1–4 (canonical backup layer) apply here. When MiroFish and Posts services deploy, actual k8s Secrets will use the SOPS path in app repo kustomize overlays.

Secrets: zep_api_key, linkedin_access_token, linkedin_refresh_token, linkedin_client_id, linkedin_client_secret, linkedin_person_id.

File Targets

Files to modify:

  • salt/pillar/secrets/platform.sls — add 6 GPG-encrypted values
  • salt/pillar/secrets_registry.sls — add 6 registry metadata entries

Files NOT to touch:

  • Makefile — these secrets are not in TF_SECRET_VARS (not Terraform-consumed)
  • terraform/variables.tf — no Terraform variable blocks needed
  • terraform/main.tf — no Terraform references needed

Acceptance Criteria

  • All 6 secrets GPG-encrypted in salt/pillar/secrets/platform.sls
  • All 6 secrets have metadata in salt/pillar/secrets_registry.sls
  • No changes to Makefile, variables.tf, or main.tf
  • CI tofu plan shows zero diff (secrets not consumed by Terraform)

Test Expectations

  • CI pipeline passes (tofu plan zero diff)
  • Run command: CI runs automatically on PR

Constraints

  • Follow sop-secrets-management SOPS path (Steps 1–4 only)
  • GPG key: 81A03D1CF874DC90
  • No Terraform variable blocks for app-only secrets

Checklist

  • PR opened
  • CI passes
  • No unrelated changes

Related

  • sop-secrets-management — decision gate updated this session
  • plan-2026-03-14-mirofish-launch — MiroFish project (zep consumer)
  • plan-pal-e-posts — Posts project (LinkedIn consumer)
### Lineage `plan-pal-e-platform` → Platform Hardening (secrets hygiene) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want all production secrets GPG-encrypted in the Salt pillar with registry metadata So that the canonical backup layer is complete and auditable for all active services ### Context Six new secrets exist in plaintext backups (`~/secrets/`) but are not yet in the Salt pillar or registry. These are **app secrets** (MiroFish + Posts/LinkedIn), not platform secrets. Per the `sop-secrets-management` decision gate: Terraform does NOT create k8s Secrets for these values, so only Steps 1–4 (canonical backup layer) apply here. When MiroFish and Posts services deploy, actual k8s Secrets will use the SOPS path in app repo kustomize overlays. Secrets: `zep_api_key`, `linkedin_access_token`, `linkedin_refresh_token`, `linkedin_client_id`, `linkedin_client_secret`, `linkedin_person_id`. ### File Targets Files to modify: - `salt/pillar/secrets/platform.sls` — add 6 GPG-encrypted values - `salt/pillar/secrets_registry.sls` — add 6 registry metadata entries Files NOT to touch: - `Makefile` — these secrets are not in TF_SECRET_VARS (not Terraform-consumed) - `terraform/variables.tf` — no Terraform variable blocks needed - `terraform/main.tf` — no Terraform references needed ### Acceptance Criteria - [ ] All 6 secrets GPG-encrypted in `salt/pillar/secrets/platform.sls` - [ ] All 6 secrets have metadata in `salt/pillar/secrets_registry.sls` - [ ] No changes to Makefile, variables.tf, or main.tf - [ ] CI `tofu plan` shows zero diff (secrets not consumed by Terraform) ### Test Expectations - [ ] CI pipeline passes (`tofu plan` zero diff) - Run command: CI runs automatically on PR ### Constraints - Follow `sop-secrets-management` SOPS path (Steps 1–4 only) - GPG key: `81A03D1CF874DC90` - No Terraform variable blocks for app-only secrets ### Checklist - [ ] PR opened - [ ] CI passes - [ ] No unrelated changes ### Related - `sop-secrets-management` — decision gate updated this session - `plan-2026-03-14-mirofish-launch` — MiroFish project (zep consumer) - `plan-pal-e-posts` — Posts project (LinkedIn consumer)
forgejo_admin 2026-03-15 02:15:36 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#74
No description provided.