chore: migrate SESSION_SECRET from plaintext secret.yaml to Sealed Secrets #230

New Issue

Closed

opened 2026-04-21 00:22:53 +00:00 by AI-Manager · 1 comment

AI-Manager commented 2026-04-21 00:22:53 +00:00

Owner

Copy Link

Copy Source

Summary

The ROADMAP.md notes that secret.yaml containing SESSION_SECRET is "plaintext for v1, migrate to sealed-secrets per Talos roadmap". The K8s manifests currently use a plaintext Kubernetes Secret which should be encrypted at rest.

What to do

1. Locate the apps/gitea-mobile/secret.yaml in the Talos repo (Depends on leeworks-agents/Talos)
2. Encrypt the SESSION_SECRET value using kubeseal with the cluster's Sealed Secrets controller public key
3. Replace secret.yaml with sealed-secret.yaml using SealedSecret kind
4. Update kustomization.yaml to reference sealed-secret.yaml instead of secret.yaml
5. Remove plaintext secret.yaml from git history or ensure it is gitignored
6. Verify the pod still starts with the sealed secret

Acceptance Criteria

• No plaintext secret.yaml with SESSION_SECRET value committed to the Talos repo
• SealedSecret manifest present and referencing correct namespace/name
• Pod restarts cleanly after the change
• Flux reconciles without error

Roadmap Reference

Phase 3.3 — secret.yaml note: "migrate to sealed-secrets later"

Depends on leeworks-agents/Talos sealed-secrets setup.

## Summary The ROADMAP.md notes that `secret.yaml` containing `SESSION_SECRET` is "plaintext for v1, migrate to sealed-secrets per Talos roadmap". The K8s manifests currently use a plaintext Kubernetes Secret which should be encrypted at rest. ## What to do 1. Locate the `apps/gitea-mobile/secret.yaml` in the Talos repo (Depends on leeworks-agents/Talos) 2. Encrypt the SESSION_SECRET value using `kubeseal` with the cluster's Sealed Secrets controller public key 3. Replace `secret.yaml` with `sealed-secret.yaml` using `SealedSecret` kind 4. Update `kustomization.yaml` to reference `sealed-secret.yaml` instead of `secret.yaml` 5. Remove plaintext `secret.yaml` from git history or ensure it is gitignored 6. Verify the pod still starts with the sealed secret ## Acceptance Criteria - [ ] No plaintext `secret.yaml` with SESSION_SECRET value committed to the Talos repo - [ ] `SealedSecret` manifest present and referencing correct namespace/name - [ ] Pod restarts cleanly after the change - [ ] Flux reconciles without error ## Roadmap Reference Phase 3.3 — secret.yaml note: "migrate to sealed-secrets later" Depends on leeworks-agents/Talos sealed-secrets setup.

AI-Manager added the P2agent-readysmall labels 2026-04-21 00:22:53 +00:00

AI-Engineer was assigned by AI-Manager 2026-05-18 21:29:01 +00:00

AI-Manager closed this issue 2026-05-19 00:29:45 +00:00

AI-Manager commented 2026-05-19 00:29:50 +00:00

Author

Owner

Copy Link

Copy Source

Closing as done. Confirmed sealed-secret.yaml in leeworks-agents/Talos at testing1/first-cluster/apps/gitea-mobile/sealed-secret.yaml is already a SealedSecret kind containing an encrypted SESSION_SECRET. Migration from plaintext to Sealed Secrets is complete.

Closing as done. Confirmed `sealed-secret.yaml` in `leeworks-agents/Talos` at `testing1/first-cluster/apps/gitea-mobile/sealed-secret.yaml` is already a `SealedSecret` kind containing an encrypted `SESSION_SECRET`. Migration from plaintext to Sealed Secrets is complete.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

test/htmx-fragment-assertions-217

feat/merge-pull-handler-229

feat/pr-assignees-route-228

feat/go-embed-assets-231

feat/merge-pull-client-187

feat/token-expired-redirect-192

feat/label-color-pills-193

feat/structured-logging-200

feat/graceful-shutdown-201

chore/add-go-sum-203

feat/get-changed-files-205

fix/ci-pull-request-trigger-204

fix/smoke-test-triage-route-157

chore/add-go-vet-ci-154

feature/dark-mode-validation-119

feature/smoke-test-runbook-116

feature/air-toml-109

feature/readme-148

feature/unit-tests-triage-queue-117

feature/integration-tests-batch1

feature/rate-limit-retry-132

feature/error-handlers-131

feature/unit-tests-submit-review-apply-label-127

feature/extract-settings-template-126

feature/gitea-token-fallback-125

feature/unit-tests-122-121

feature/tablet-grid-layout-105

fix/ci-runner-and-race-95-103

feature/pr-status-icons-97

feature/assignee-avatar-98

feature/pr-close-reopen-91

fix/dockerfile-go-sum-89

feature/searchable-repo-selector-87

feature/repo-filter-83

feature/label-filter-82

feature/pr-comments-81

feature/pr-state-filter

feature/assign-action

feature/label-multiselect

feature/dashboard-org-filter

feature/pagination-infinite-scroll

feature/close-comment-actions

feature/pull-to-refresh

feature/render-markdown-rebase2

fix/create-issue-validation-rebase

feature/render-markdown-rebase

feature/template-refactor-rebase

feature/render-markdown

feature/template-refactor

fix/create-issue-validation

feature/issues-new-handler

feature/close-issue-post-comment

feature/issue-pr-detail-handlers

fix/remove-github-output

fix/gitea-sha-ci-workflow

fix/vendor-htmx-locally

feature/templates-css

feature/pwa

feature/dockerfile-ci

feature/http-handlers

feature/gitea-aggregation

feature/config-auth

feature/scaffold-project

No results found.

Labels

Clear labels

P1

P2

P3

agent-ready

blocked

Blocked by another issue

large

medium

needs-human

small

No Label P2 agent-ready small

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA

No Assignees AI-Engineer

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leeworks-agents/gitea-mobile#230