1.8 KiB
SOPS-encrypted cluster secrets (noble)
Secrets that belong in git are stored here as Mozilla SOPS files encrypted with age. The matching private key lives in age-key.txt at the repository root (gitignored — create with age-keygen -o age-key.txt and add the public key to .sops.yaml if you rotate keys).
Migrating from an older cluster that ran Vault, Sealed Secrets, or External Secrets Operator: uninstall those Helm releases (helm uninstall vault -n vault, etc.), delete their namespaces if empty, and export any secrets you still need into plain Secret YAML here, then encrypt with sops before committing.
Prerequisites
- sops and age on the machine that encrypts or applies secrets.
Edit or create a Secret
export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt
# Create a new file from a template, then encrypt:
sops clusters/noble/secrets/example.secret.yaml
# Or edit an existing encrypted file (opens decrypted in $EDITOR):
sops clusters/noble/secrets/newt-pangolin-auth.secret.yaml
Apply to the cluster
export KUBECONFIG=/absolute/path/to/home-server/talos/kubeconfig
export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt
sops -d clusters/noble/secrets/newt-pangolin-auth.secret.yaml | kubectl apply -f -
Ansible (noble.yml) runs the same decrypt-and-apply step for every *.yaml in this directory when age-key.txt exists and noble_apply_sops_secrets is true (see ansible/group_vars/all.yml).
Files
| File | Purpose |
|---|---|
newt-pangolin-auth.secret.yaml |
Pangolin tunnel credentials for Newt (PANGOLIN_ENDPOINT, NEWT_ID, NEWT_SECRET). Replace placeholders and re-encrypt before relying on them. |