Skip to content

(refactor): cleanup ro + rw secrets files from repo and added necessary ci secrets files (.ci.admin.secrets.yaml -> sops-master + .ci.secrets.yaml -> sops-ro, both must be approved by @Patina-Network/infra) #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tahminator wants to merge 3 commits into
base: main
Choose a base branch
from
+37 −49
Open

(refactor): cleanup ro + rw secrets files from repo and added necessary ci secrets files (.ci.admin.secrets.yaml -> sops-master + .ci.secrets.yaml -> sops-ro, both must be approved by @Patina-Network/infra) #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8c1f769
(refactor): cleanup ro + rw secrets files from repo and added necessa…
tahminator Jun 10, 2026
1c5bbc4
Update CODEOWNERS
tahminator Jun 10, 2026
556082f
Update CODEOWNERS
tahminator Jun 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .sops.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ stores:
yaml:
indent: 2
creation_rules:
- path_regex: secrets-rw\.yaml
azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"
- path_regex: secrets-ro\.yaml
- path_regex: ci.secrets.yaml
azure_keyvault: "https://sops-ro.vault.azure.net/keys/sops-ro-key/"
- path_regex: .*secret(s)?.*\.yaml
azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"
Comment on lines +5 to +8

@graphite-app graphite-app Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Configuration mismatch: The path_regex rules will cause encryption key conflicts.

The file secrets.ci.yaml matches the second rule .*secret(s)?.*\.yaml which specifies the master vault (sops-master.vault.azure.net), but the actual file is encrypted with the ro vault (sops-ro.vault.azure.net/keys/sops-ro-key).

This will cause SOPS operations to fail when trying to edit or re-encrypt secrets.ci.yaml because SOPS will attempt to use the wrong key.

Fix: Update the first rule to match the actual filename pattern:

creation_rules:
  - path_regex: (ci|.*\.ci)\.secrets\.yaml
    azure_keyvault: "https://sops-ro.vault.azure.net/keys/sops-ro-key/"
  - path_regex: .*secret(s)?.*\.yaml
    azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"

Or alternatively, ensure secrets.ci.yaml is re-encrypted with the master vault to match the current regex pattern.

Suggested change
- path_regex: ci.secrets.yaml
azure_keyvault: "https://sops-ro.vault.azure.net/keys/sops-ro-key/"
- path_regex: .*secret(s)?.*\.yaml
azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"
- path_regex: (ci|.*\.ci)\.secrets\.yaml
azure_keyvault: "https://sops-ro.vault.azure.net/keys/sops-ro-key/"
- path_regex: .*secret(s)?.*\.yaml
azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"

Spotted by Graphite

Fix in Graphite

Is this helpful? React 👍 or 👎 to let us know.

5 changes: 5 additions & 0 deletions CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,8 @@
CODEOWNERS @Patina-Network/admin

.github/ @Patina-Network/cicd

secrets.admin.ci.yaml @Patina-Network/infra

secrets.ci.yaml @Patina-Network/infra

13 changes: 0 additions & 13 deletions secrets-ro.yaml
View file
Open in desktop

This file was deleted.

33 changes: 0 additions & 33 deletions secrets-rw.yaml
View file
Open in desktop

This file was deleted.

14 changes: 14 additions & 0 deletions secrets.admin.ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#ENC[AES256_GCM,data:JYQUiLXEk0aWuUTpj3OYZyyZSDBy/7uWXO3T7KlcSLkDEn0xFsXybvx7xJcWuJts/EHgAw==,iv:40ONwTppG+DdxMZjbMzGVKL8MsMe3TZDMbmwnUoHH8E=,tag:BPPhA7g6hhyCizzrrbPyXw==,type:comment]
PG_ROLE_patchats-stg-sa: ENC[AES256_GCM,data:26w5a29jK06nOYL15XcuEQ8xM5ug12g8K9mGiNq3fKY=,iv:6M8RfIXbaMkxlb4J8m6bso23SPfXX9FK3p1qDAxpe7E=,tag:EFVdaDEEeE7HqV4rQNhEHA==,type:str]
PG_ROLE_patchats-prod-sa: ENC[AES256_GCM,data:HibwTNBouRVRs4dqtFvXnfroWQJXXsP418VqPmEEUVU=,iv:tABSLqxmo9HNL+GFTzFsSDL94gxA2f1H1ujh0FdQQK8=,tag:lZ58rlucrSA2DEqLEAKC9Q==,type:str]
sops:
azure_kv:
- created_at: "2026-06-10T00:42:55Z"
enc: Q0NPAxAuflLSZesMWzvxiUlzqta8ouMnOpp-bBENtTe1hmjA7EO7Y_Y2gvNj78wcNyuYPZMbHVDywuayMbFp79uyIuwSBloJmhqpIjULoIXCWCn77nRKVcXbQPmjnYGzOdjNtaQawVv6Gw-LqD2hnGxgS_jB5WhwjT8K6QhG7tHS_Kmo27K2PquZfdT225z7Wggtqkt6VN-ie31njBDlc8H3Dx0hLEm0wQAsN9lfx2UEwUD5SLoe6vTSEzIsbXb5UDwj-v-B909NjAY8jsh4yjGpe9_5saKtm-k7y5GZi-8VbJh5WvxcO1ZXeRdUKG4_s3w62pS-Q0lvvuKMkl6kTQ
name: sops-key
vault_url: https://sops-master.vault.azure.net
version: 90784f2986de4514934b4d1f682d3e59
lastmodified: "2026-06-10T00:42:56Z"
mac: ENC[AES256_GCM,data:toq8TBNd8MXRiV3Df8wulw516iV9HTeE+HiLZnw/Fi5LS5CYriItb2pAXws1r+zYMUAboJ+3tk1pvjAffxZXlFopCP5qT0NVRNyqNUbwi/FNHQIRA8bqG2Z382BU9KThqB4sI4SQKrv2J8R6nSNL4h3E/Icsr8DDR43TH7pBKFU=,iv:8GrEtfstiMmvMRX1zL2SvY33psxMkztDauuAuUC993I=,tag:/Wz+vh+6xHgO+X+u5U+2lA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.1
15 changes: 15 additions & 0 deletions secrets.ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#ENC[AES256_GCM,data:qE98Q60Bg0l1HXMQrqHo5QogKV8shLkOrm3NyLywCx3duhk9D6C0Wbne2UHD6Bfd7CaScA==,iv:2FuKLItO8y6VqNmwama+nc7PiuK685cT24doSz+EBjM=,tag:F76ao1gb6w4F591qjJHBug==,type:comment]
GITHUB_APP_APP_ID: ENC[AES256_GCM,data:/zDLkRlj6w==,iv:wtIraBrVH6BN4VWl+fpqDlPuI28CyIq2Gzp4bQNe+Qs=,tag:YPYYXLa2YzRzSRI6hvlNyg==,type:str]
GITHUB_APP_INSTALLATION_ID: ENC[AES256_GCM,data:6thy6wpRMBo9,iv:zQOGXwEOfyZJgso+moCd2EIECQPo3+rLzfOk1b757qs=,tag:BlGBrEo4ezur7Om5F9f4gw==,type:int]
GITHUB_APP_PEM_CONTENT: ENC[AES256_GCM,data:JdC+jn0AD9kbe54v94rATtw0qEg83UDXzzh34uLsMh1hq8s4bt96HatR8OPuFrwB0dS5duEFGGBvATDDTyXMl39x/RtOsXBKztAXSq3GN8+K1fr4LV1Gm7DSKYgk16EpVxAssn4DVkwVSon8b1FzSacp9TKCq64Oc+RYPZkWWf0WThdWOfXMSUG1wZR90+abJJeOx5dsrk1CoCP0rhpXK+GgEhhMFVtoISx6quvVitHilNXlVn5XZiRY0wR+In8vD1W6aH8W7llfIbHA48pKb+XvqM4nX0g0N7I0Pe5zzemN1Yx3Ye22BKbvehTSR2OSRzIrl80vEHtokwAavT5UyAAI5FsvZlI6GgqEjm+F2zvxex2otgXvFaOOe5Y5COvTtfqOBdbQRIJbh7NGR+ceTAzdUqbEQEZ0N/CR70aIU8Wuk34RvoMLqTrKJK+5iOH4h4VaOI3rqO/1AApZb9qJiUtHw54Z9fT5Qc7AiPVEBBUdxU2gdiz+DvX5vwBk0A48KOv09zioltRnubIGpT16r5Go1IyuxC8UNLuXI1TV+Y2lYzlsU8EfAw1xgUsaxw1yfZUy2F/yW7A/n7/2cJSOGflpVSZY4Sd+jeStXCoPJ2I3Pj3nNVMGkfjlx/QpJxy3L7zMIRKUyOxcTYMhRNso0Uiupaz5ce9So9WSu1BqlHGc+849bheNh5FLOXu0778o+qHZlmtTPSv9QVsjeUltpTllDvUS8ddJtSuQdAHZf3PND8csTMH129Uhf1gDt7VbqkFdN8/KOLj31DFeiqi0NFeD2NMxzhxC6TtxZrKSSAUN76r236xlIW0bG0fDZMEWTXhvTbZxp7pWijNVCbTGxP6onzCc9lvgIhRXSC6IO5IlaNqOQ5MPjrqDoGBjONUExM8qN0KiARb3Cs2whvG2YX4mIpW9t/Mh9m0a1WoMbi7wNlJ4vFWJ17CmKbjbtK2so8TSy3UrlL9PxZ8TNodul3T8BW3SrxzBjqEQcevqJMHLCCxlMbzX7kf+0Ok+JkFD/92HiIxrIhHCJsEPorVzNnyMV9pXiL+cH3aan1VO0jVzPPgFSA+LUzwmII1KbmB0DnjHrsKVOwUacTQTQ2OZp0WQWTeHF4Xgv4sEVpRopiJBtZgBm0fzrmNEdATnMNIhC3VCIWghwiM1ZKauEZLX2zJ/VPaFxeH8FKkrcruD5WPnybWIzCBL3piAMp1DEVCOlOVeNUr7+PV8G7Mx991cCLZ9LydpXD2GH8NIBhsD84l5X/l5ZF7bk+MOuBQ2Kxc6J33REwdCtLrphu32efydy7t4e6sjSu/WDQJu9VMZIttrVr3FG0MK9nd6GBd5eTUlpLhWjE5af3eGYlz1fJQaRdpA0isMFqebMeauL1jKO3JpTxL4BYTwzW4yW+ldZhe2vW0FuPfiyp8Xhe46r61fkL+cNsWTttJNxOsr9OC2ydnUDVzXm6eNp4fxz5gp6j69y1VvZlPPY8y4DEYGls3eaPaZCt3MLxKg7EuaE+65mVG1jBuajHRWPLfRuZ/akP7mbuiekqVbHrEIsf5Ism91hVQh3CqjaKA3hcXywb6tGAHgWyOUfv+fNtvKdBL9QEKGuaEoIQLA5sVfsWeD3tzCHwqptOl17PNujjdRNKbw/2VWhAjc3Lj/782tzB6mdqbybaxEuFaeO0Nf4Xhi0fnC0H0B6HlN5W9YrqXRSAb5Zl2RiHCGfJJ3uSc1t2xOF+M6ZqXC8VLZ0TPqCwcw8UMth+8c1FDgzb5mMX/EWPcL0NdzBCczOnXXfmMBJF573DRP6Hswwbf+q2auG+5NIcq8vyz533Om01v3xLUfExyenwBUROienP+esAJV2/JGzehrHrEWE6rkTTOVVW3/qYizlWHZsT3zOCWTMp4SfeOwe1RlTJgldcDzkQbT4LU7AMhfY/wXW0aXPIFyyQn/5xdZ0V1gWRVUgfwz/iAPK2WIbRCbw4ybsbt0oYPMK8EMRy7FjTbpN1Y/P0XY/Q+iLXpUGMmT85U5d/hK+aSfcb6nWekkTav6ZjNYZr1nY3baMVQSDno4p5or24MouVClmDv8wyPrBZ3BBorCnDMQAikgIYMjrRRmPm9B3R/JW1qFI2apeWpPj6bN5kNHiHm2UXBAu1tTXNhJeO+e7Xbu6V/mUcXqPjlADjOWM0BjFj9AVZLWmlU2Dd0oTBCvNeldIRrl1eesgN2QHzC04ifsSlR6xXdfZZYGgkFIT2/TT9HEIMc=,iv:iBGHZRcesMGP7nQjHAX6hMyJLzebz6MVwfXqK5JXPMs=,tag:fZAdfLUc1+0maMfpd5JyAA==,type:str]
sops:
azure_kv:
- created_at: "2026-06-10T00:45:11Z"
enc: n-Cqngek9pSDmbh99JbRbWHqyvuco5CD6U6rQbXUNivIBZwso94YAcnl4a9Kez16VcMDXr6dDOr9wbQMEsDA0Dow5QGc3LwarSfXMCmLM1Cj9HgEIrZvYxWVkjKfzT31K0yQhwc4tcMS9Vz_5wCNESfJt53ZCQa4uRyVSMBPPATk-Zsrlv1nYaJMEMXAqLwhmCmcoWyy0RWA3lWOZJdhxy2_LxkjEfMJjQEMdggRBld7gKijZRThoLQtwOQSuMmB1px0gTlGgbdaYc7YpsYjim4g1npdBBSR1NbC9Zpo9FDNJhegs4n7t-qYAeiPAqp6bztMYMF359nL1IH8iDemL42tVnPkrTfR7xcpv7Tsm0GhZ82oFOeGaDH2ff6n4lWP6NpUw-KAfD6fw00BW3SLZlJzBOpQuAl9BlHFuBylgzh4gcMe2c_17AuElpYtuJ1zk-HV-2DbK-Q6Q8GsOWChCHdJvKxu4YKE3VOlQf0eerUZKVlnv9uc5BC8vormKT2wIGBBKMlKf_2mWDIm28vWF2nRTuQhmPwN3bi-O-fU4oD5PqFSlugGj8qBSyB5wNTDna3BBXYEP0lfpnZZE_fj_JW42g906_3Vm_dpAhspwOXky7Q9fZQuAv7Q4vJaOsMedfQnaNAhavsSPMsd03wchmL9znu1VGCjanGVXdeHQ4Q
name: sops-ro-key
vault_url: https://sops-ro.vault.azure.net
version: addd283ca3a54c0cbc4378b37dc4fcf1
lastmodified: "2026-06-10T00:45:13Z"
mac: ENC[AES256_GCM,data:yDcfyAprtSwKUWN8mOzm6i5QfdqZHs2qyGX4EMGbABTWR7TYwmE+ikjgVDi80WD5jHbAHtDOsTJdWl8eAxGZfikgms1CvXZFArrStSLtEruo3iDgO0pi/J5zJAZ5biEYTv74EJ2FxGfHJ8N3Sw9YfjoWK6Hs4P+CGudK6NE6hQ4=,iv:gjjOWfkNdZdzXg/Ir1zyM7FGqNQ1fIXdTLquxwYP2mA=,tag:x7/i1XxNuAdcPbqa1NZY9w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.1