Skip to content

Move non-secret config from SOPS secrets to plain env vars#219

Merged
RafaelPo merged 1 commit intomainfrom
fix/move-env-from-secrets
Feb 25, 2026
Merged

Move non-secret config from SOPS secrets to plain env vars#219
RafaelPo merged 1 commit intomainfrom
fix/move-env-from-secrets

Conversation

@RafaelPo
Copy link
Contributor

@RafaelPo RafaelPo commented Feb 25, 2026

Summary

  • Moved SUPABASE_URL, REDIS_SENTINEL_ENDPOINTS, and REDIS_SENTINEL_MASTER_NAME from SOPS-encrypted secrets to plain env vars in values.yaml
  • Re-encrypted both secrets.enc.yaml and secrets.staging.enc.yaml to contain only actual credentials (SUPABASE_ANON_KEY, REDIS_PASSWORD)
  • Addresses PR #201 review feedback from @hnykda

Rationale

These values are infrastructure addresses/config names, not credentials:

  • SUPABASE_URL — public HTTPS endpoint, useless without the anon key
  • REDIS_SENTINEL_ENDPOINTS — cluster-internal DNS, useless without the password
  • REDIS_SENTINEL_MASTER_NAME — just mymaster, a config label

Over-encrypting non-secrets adds KMS dependency for routine config changes and obscures what's actually sensitive.

Test plan

  • Verify sops -d secrets.enc.yaml returns only SUPABASE_ANON_KEY and REDIS_PASSWORD
  • Verify sops -d secrets.staging.enc.yaml returns only SUPABASE_ANON_KEY and REDIS_PASSWORD
  • Deploy to staging and confirm all env vars are present in the pod (kubectl exec ... -- env)

🤖 Generated with Claude Code

@RafaelPo @claude
Move non-secret config from SOPS secrets to plain env vars
14abb9b 
SUPABASE_URL, REDIS_SENTINEL_ENDPOINTS, and REDIS_SENTINEL_MASTER_NAME
are infrastructure addresses, not credentials. They don't grant access
without the corresponding keys/passwords which remain SOPS-encrypted.

Addresses PR #201 review feedback from @hnykda.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@RafaelPo RafaelPo requested a review from hnykda February 25, 2026 11:14
@RafaelPo RafaelPo merged commit e38acab into main Feb 25, 2026
5 checks passed
@RafaelPo RafaelPo deleted the fix/move-env-from-secrets branch February 25, 2026 11:15
RafaelPo added a commit that referenced this pull request Feb 25, 2026
@RafaelPo @claude
Restore env vars in SOPS secrets for rolling update compatibility
5b41f00 
PR #219 moved SUPABASE_URL, REDIS_SENTINEL_ENDPOINTS, and
REDIS_SENTINEL_MASTER_NAME from secrets to plain env vars in values.yaml.
During a rolling update, the K8s Secret is replaced first (removing those
vars), causing the old pod to crash before the new pod is ready — breaking
the deployment.

Add these vars back to both staging and production SOPS files so both old
and new pods can find them during the transition.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@RafaelPo RafaelPo mentioned this pull request Feb 25, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hnykda hnykda Awaiting requested review from hnykda

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RafaelPo