Ga naar inhoud

runner-secrets

Purpose: the cluster-side secrets, split by sensitivity. Not in kustomize build — delivered out-of-band (SOPS+age) so ArgoCD can sync the platform without decrypting.

Holds (manifests/components/runner-secrets/): - forgejo-runner-conn — the host runner's connection config (config.yml: org uuid+token, capacity, labels, job proxy env). Encrypted in git as runner-conn.sops.yaml. - forgejo-runner-oci-conn — same, for the con-ci-oci runner (template only until applied). - nextcloud-signing-key — the Nextcloud app-signing key (crown jewel), template only; runtime-mounted in the signing job, never a Codeberg Actions secret.

Key facts: - .sops.yaml lives at the repo root (so sops auto-discovers it); rule encrypts only data/stringData, metadata stays readable. - The age private key decrypts everything: on-cluster Secret sops-age (con-ci) + operator copy at ~/.config/sops/age/keys.txt + an offline backup. Never in git. - Codeberg only holds runner identity (uuid/token); never a deploy/push credential.

Operate: - Encrypt: sops --encrypt --in-place manifests/components/runner-secrets/<x>.sops.yaml. - Apply (until ArgoCD KSOPS exists): sops -d <x>.sops.yaml | kubectl -n con-ci apply -f -. - Verify decrypt: sops -d <x>.sops.yaml >/dev/null && echo OK. - Full runbook in onboarding.md.

Deferred: ArgoCD KSOPS auto-decrypt (needs the age key in the argocd ns + a repo-server plugin); Change-2 migration to Vault/ESO (ESO 2.x is already installed cluster-wide).