From 14abb9b3b885c9bede037883c5e165f5dc165516 Mon Sep 17 00:00:00 2001 From: Rafael Poyiadzi Date: Wed, 25 Feb 2026 11:12:30 +0000 Subject: [PATCH] Move non-secret config from SOPS secrets to plain env vars SUPABASE_URL, REDIS_SENTINEL_ENDPOINTS, and REDIS_SENTINEL_MASTER_NAME are infrastructure addresses, not credentials. They don't grant access without the corresponding keys/passwords which remain SOPS-encrypted. Addresses PR #201 review feedback from @hnykda. Co-Authored-By: Claude Opus 4.6 --- everyrow-mcp/deploy/chart/secrets.enc.yaml | 15 ++++++--------- .../deploy/chart/secrets.staging.enc.yaml | 15 ++++++--------- everyrow-mcp/deploy/chart/values.yaml | 3 +++ 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/everyrow-mcp/deploy/chart/secrets.enc.yaml b/everyrow-mcp/deploy/chart/secrets.enc.yaml index facd785a..60a0f531 100644 --- a/everyrow-mcp/deploy/chart/secrets.enc.yaml +++ b/everyrow-mcp/deploy/chart/secrets.enc.yaml @@ -1,16 +1,13 @@ secrets: data: - SUPABASE_ANON_KEY: ENC[AES256_GCM,data:SDHdb1p3B56tCsZDMY+8rM/+fSZCJmZito/fmHsqChlPOqRmI2vNLOLIfavbEw==,iv:qotbOW4BUeyRAL8kAFpZ5iOwCDyjeOynlDNG1/a6NRc=,tag:SH7yEMGyS0NlIdDnPmPIsQ==,type:str] - SUPABASE_URL: ENC[AES256_GCM,data:c4UIrv/WFIqENnjQlMHn4RqJ/lJ6d8fWSyoYlswZOmM/Is8ohp2U4w==,iv:g6VSbaEwH9cn+pL9BhO5R4uLvLue4GCCHew5HZSy5go=,tag:BP0NESsL2E7vwc4aMyn2+g==,type:str] - REDIS_SENTINEL_ENDPOINTS: ENC[AES256_GCM,data:9SS/lteI3EANPDYzWdZZWq3x0Bl30EgSorUesY2vS1BPKCs=,iv:7+XnRIZrRG25Rjg7N+u34gDW4iVbHPzQbJ8pp39L6ao=,tag:N+WFMVUwKRA6H1ro1bbtZw==,type:str] - REDIS_SENTINEL_MASTER_NAME: ENC[AES256_GCM,data:iL8r8pQ4TIU=,iv:xFSpe5B3NJtKOqWZCgqFihxfVOFSe/ysJDE37Ak/vW4=,tag:AXTyzU7m3u/eqfqCgm1slA==,type:str] - REDIS_PASSWORD: ENC[AES256_GCM,data:KQlqKKNg6KQrepj58F38vahfq8bt76c=,iv:DqPeCtiJPVeEZ6Et8AlcNUvvdCl2AbVBYvpoS/HkVV0=,tag:1Demiblvl0Lnhmlop9Im4g==,type:str] + SUPABASE_ANON_KEY: ENC[AES256_GCM,data:wSuv0Y71rXeyUtGZmNyPF6HMjtkTbX1CpRAEJCDECFtEVWJJpTPMuKhTm6ZtsA==,iv:iTDC8+WeA7IXM+tQeKOw0JPrITPQMwx7R97avzMRNe0=,tag:9jFbCzNHePPAHq8v9JS+lw==,type:str] + REDIS_PASSWORD: ENC[AES256_GCM,data:lTHLRIRG/xJKQCGQTlP+d20tjzKob6Q=,iv:1vQ8ph/EnjcDbMZ6HrDg4Dw1rf0Wm75cZrwmJX9IjJQ=,tag:jFQhyhwIF+IR6sZdcWoN6w==,type:str] sops: gcp_kms: - resource_id: projects/varuna-400921/locations/global/keyRings/sops/cryptoKeys/sops-key - created_at: "2026-02-24T17:16:29Z" - enc: CiQA/cVY+2p6ekmTf7SP9+PcNZPrBdAhv/xxVpGpyE7RKDCttEgSSQAXYxKUl7FtkemQtdzLxV3A8KXUgS26JU/tYtlqmMdNCzDHKDbu44gZmQE0PxDrpWDaugwV0sSztqh8oTx3PjerjAujikHBy60= - lastmodified: "2026-02-24T18:14:31Z" - mac: ENC[AES256_GCM,data:eTO8aGnceA9ufhtvQwTAL0DfUkkWC0lL6/HE4UrwaCgQ8mDM6byt8nFUs9DuM1ip6y9Zvt9+es0xh+wQyyLoZZsGO3xbtZdhOPdnlMzxtT2t0cWuVFzg6Q7wDfAL9Nna48JGviaohFsjOt/aeLSHFvvG89wRRpw0Q1jRQX84jIE=,iv:bk24WFdzIZj6rcbNhth98y2eZySEkQMsGhi7dQb3giQ=,tag:aHdahuGAzpi3/00R4/qaIQ==,type:str] + created_at: "2026-02-25T11:10:15Z" + enc: CiQA/cVY+5Lxs66yCcCdlLgZSXUhE54B8/LQToEgYZPmxBNOpkcSSQAXYxKUvmDxFf+w9AAcGnJDzTQgWQDfqyqIIJqfNi0a0U+yw9PcBPWUZfB21/Yo7m8DV3kFC7eLo/Fl74gZIbXLFyi37TYWvno= + lastmodified: "2026-02-25T11:10:15Z" + mac: ENC[AES256_GCM,data:kXGp/yKjulYEy1ks4p5T8nzUWUOSHKufVcUqn6QL06W1+Rt3ijLIOPdn0+MZqyulpxfzoMlcoNo2r0Tjk12Bsi7Ly4S8no6ho0ad3Oow1wVYPoAPQsg7MTpt8ls8Yw5tu/y/xWcS8ipuX7a6KQCiBm6TN296GjU2SIKD7H7v1OE=,iv:Yt1C4sR1dNTxNRHdqP/VkVDawzsqcSE1jpWGkuVtVAY=,tag:v+f0QuW/wgzmBB0ny7DmEQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/everyrow-mcp/deploy/chart/secrets.staging.enc.yaml b/everyrow-mcp/deploy/chart/secrets.staging.enc.yaml index fbe120e7..a3567372 100644 --- a/everyrow-mcp/deploy/chart/secrets.staging.enc.yaml +++ b/everyrow-mcp/deploy/chart/secrets.staging.enc.yaml @@ -1,16 +1,13 @@ secrets: data: - SUPABASE_ANON_KEY: ENC[AES256_GCM,data:O/gqSYAPhpJB4WMAr7D9HnkLT+NjSwN9jcMBW9/MXGpbRxFB72+hY/AIWHvh6A==,iv:fcR1gyF8YBRmYYI8z79r10NVL0KlQnvt6/DCV2x7uXI=,tag:RyWgufxfiFez/LPge96crQ==,type:str] - SUPABASE_URL: ENC[AES256_GCM,data:xGylUJThxPDcaMnpdKfpN1X3tq+zp+eTLGEcXiGGKTIByjV0bZxuow==,iv:0BkTS59QCId/ZykaZKPy0hUK/UDTEIRlHV6cBerD/0A=,tag:7ZiBQMNmMCW5Kb7rH659yA==,type:str] - REDIS_SENTINEL_ENDPOINTS: ENC[AES256_GCM,data:TVzm6CBXI8BhCELne88ygHMaiQZcxeTwHUbw7qhZPNc41hg=,iv:QP2lrMEsMEZHqCqQNywGUxgbmb8HBycUGj3pP2b8vwg=,tag:sp8NKF2q8LOJJg/fGmhxbQ==,type:str] - REDIS_SENTINEL_MASTER_NAME: ENC[AES256_GCM,data:ok5ySd/JcW4=,iv:vCIUZyvuGwlu5laCUHIBq3gt9XSiTXxqY/wo22G5OtE=,tag:WSQ0qfvDmck5nsD4UXEatQ==,type:str] - REDIS_PASSWORD: ENC[AES256_GCM,data:Cgx61Unnp8BCiYRPhLhqjTv7gzp/72M=,iv:IUTcAexUCiB3iR38OtIceeKX+yo/MifBnBCCJz/AtDA=,tag:4OXaJjosbnbZlQL5WtewMg==,type:str] + SUPABASE_ANON_KEY: ENC[AES256_GCM,data:91ALSXpACOcExu9kgigc9NQcC+/HMKu1dAOR7rfdpuIpjgvGQp5v4+FxADYlyw==,iv:XTqbbLdKC5iObcSkXL4bvB0RM6asW9N/cPqqLeJKzkQ=,tag:0S6q5tLY7mS7ytg6hbfD/w==,type:str] + REDIS_PASSWORD: ENC[AES256_GCM,data:Sd3POn+j8f9fHE7s38MF+xbROYI3EU8=,iv:fS356TlleVNZlKlKlwowTQqY4tSmJOw/2jO2sq2CMFE=,tag:yA4C4vPZ393yS+aq7Tp+1w==,type:str] sops: gcp_kms: - resource_id: projects/varuna-400921/locations/global/keyRings/sops/cryptoKeys/sops-key - created_at: "2026-02-24T17:16:29Z" - enc: CiQA/cVY+wxwbn3to4SujOzX8LvgAMs5XQ3uZ6fzfY4YaAu5bkISSQAXYxKUC27tVeFnPGIN5cht68JZq3LLkXFSHLg0TOge/iIswyoNgsBZKnA9mqXL28d02N4eR1E24UhlBzMPPcw3V1AY3cY+wY8= - lastmodified: "2026-02-24T18:34:51Z" - mac: ENC[AES256_GCM,data:inP810beROY5DGGB8ob295p17WnLQdtt9zDHBIFQMOMo6L1ZxYWZMyRpUVhau/gaNe9BrpDw+GldloTKiHEUgcZW+DyJXrbawEJ4vF+TJZUy8MPlQYGPal3yxNJ4T10w5IJQiKUeKtpuW8BvHAqQWlWlpbcd+WjVcXYkIn1HcOA=,iv:yS49RNbfZz1tDIvcyxAIcbth0RiFR6feUzOWi7rD5Rg=,tag:l5e3Mfz+4552qcVmdnk+Hw==,type:str] + created_at: "2026-02-25T11:10:15Z" + enc: CiQA/cVY+4bC5CwWKs0EYtD4Vh98YnXRicWWofDqiY3lryn33eESSQAXYxKU8vjWyssAbPeLpZsYxzqsAtP8W1zwxFoyDwm7hyGRJbW2AI6wgwtKKkQ29GCLwRwcaHefFmemPXu21lKyN4O38zJq2Jo= + lastmodified: "2026-02-25T11:10:15Z" + mac: ENC[AES256_GCM,data:pXawt0+3S52U5ruvsmrmflor7Xy7ODt0kKNi3tK+iawctin/5kmJ9jt64mRB623RAt0eKafcwtL18uPxts4iaB0JyM4q5PZKWWRTmeQh9bXNQSv6JEn4rUe+n7lisRtx7sLPoN+EcClHxk5DRlWIn5m44a/mViMMEvA9ChY6QcY=,iv:5n8QgZI3s4tPVvjkSDlWCvbPuclCfe6Gh5yDT3aggY4=,tag:gqjJu0UAQxrUgCQwjLlWDQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/everyrow-mcp/deploy/chart/values.yaml b/everyrow-mcp/deploy/chart/values.yaml index 51b381d9..195329eb 100644 --- a/everyrow-mcp/deploy/chart/values.yaml +++ b/everyrow-mcp/deploy/chart/values.yaml @@ -27,6 +27,9 @@ env: MCP_SERVER_URL: "https://mcp.everyrow.io" EVERYROW_API_URL: "https://everyrow.io/api/v0" REDIS_DB: "13" + SUPABASE_URL: "https://iliivszxpymuffgrwsws.supabase.co" + REDIS_SENTINEL_ENDPOINTS: "redis.utils.svc.cluster.local:26379" + REDIS_SENTINEL_MASTER_NAME: "mymaster" httproute: host: mcp.everyrow.io