From 5d238787368b7591fc5657f262b04cfe00a68184 Mon Sep 17 00:00:00 2001 From: "Adrian A. Baumann" Date: Sat, 28 Feb 2026 22:45:43 +0100 Subject: [PATCH] docs: add secrets management design (kubectl bootstrap script) Co-Authored-By: Claude Sonnet 4.6 --- .../2026-02-28-secrets-management-design.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 docs/plans/2026-02-28-secrets-management-design.md diff --git a/docs/plans/2026-02-28-secrets-management-design.md b/docs/plans/2026-02-28-secrets-management-design.md new file mode 100644 index 0000000..c026476 --- /dev/null +++ b/docs/plans/2026-02-28-secrets-management-design.md @@ -0,0 +1,26 @@ +# Secrets Management Design + +**Goal:** Remove secrets from the Helm chart and provide a kubectl script to bootstrap them out-of-band, compatible with ArgoCD. + +**Approach:** Pre-create with kubectl script (Option A). Helm stops owning the secret; a bootstrap script creates it before the first ArgoCD sync. + +--- + +## Helm chart changes + +- Delete `templates/secret.yaml` — Helm no longer creates or owns `shorefront-secret` +- Remove the `secrets:` block from `values.yaml` and `values-prod.yaml` — no secret values in git +- The `secretKeyRef` references in `backend-deployment.yaml` and `postgres-deployment.yaml` are unchanged; they already reference `shorefront-secret` by name + +## Script: `scripts/create-secrets.sh` + +- Reads `POSTGRES_PASSWORD` and `JWT_SECRET_KEY` from environment variables; exits with a clear error if either is unset +- Creates the `shorefront` namespace if it does not exist (safe to run before `helm install`) +- Uses `kubectl create secret generic shorefront-secret --dry-run=client -o yaml | kubectl apply -f -` for idempotency (safe to re-run for credential rotation) +- Prints success/failure + +## ArgoCD workflow + +1. Operator runs `scripts/create-secrets.sh` once on bootstrap (and again on rotation) +2. ArgoCD syncs the Helm chart; `shorefront-secret` already exists, pods start normally +3. ArgoCD does not manage the secret (no `managed-by: Helm` annotation), so it never diffs or deletes it