Secret Management
All secrets are SealedSecrets — encrypted in git, decrypted on cluster.
Secret Distribution
| Secret | Pod | Keys |
|---|---|---|
book-e-secrets |
Book-E | discord-bot-token, anthropic-api-key |
ai-accountant-secrets |
API | folio-token, fiken-token, fiken-company-slug, postgres-password, postgres-connection-string |
ghcr-pull-secret |
All | .dockerconfigjson (GHCR registry auth) |
Isolation Principle
Book-E pod: Discord token ✓ Anthropic key ✓ Folio key ✗ DB creds ✗
Accounting API pod: Discord token ✗ Anthropic key ✗ Folio key ✓ DB creds ✓
Compromising one pod doesn't expose the other's secrets.
Bitwarden References
| Secret | Bitwarden Entry |
|---|---|
| Discord bot token | "Book-E Discord Bot Token" |
| Anthropic API key | "Anthropic API Key (Book-E)" |
| Folio API key | "AI Accountant - Folio API Key (readonly)" |
Sealing Process
kubectl create secret generic book-e-secrets \
--namespace ai-accountant \
--from-literal=discord-bot-token=<token> \
--from-literal=anthropic-api-key=<key> \
--dry-run=client -o yaml | kubeseal --format yaml > book-e-secrets.yaml
Commit the sealed YAML to git. ArgoCD syncs. SealedSecrets controller decrypts on cluster.