Core Exercises (Required)

1. Create and Encrypt: Use scripts/sops-encrypt-secret.sh to create a secret named lab-secret in the develop namespace. Verify that the file in Git is encrypted.
2. Flux Verification: Commit the new secret and verify that Flux successfully reconciles it. Check its presence using kubectl -n develop get secret lab-secret.
3. Trigger a Failure: Intentionally use an incorrect public key in .sops.yaml and try to encrypt a file. Observe the error message.
4. Secret Exposure Drill: Simulate a secret leak by committing a plaintext dummy file (use a fake key). Follow the first 3 steps of the Leak Response Mini-Runbook.

Challenge Exercise (Optional)

Full Secret Leak Response: Simulate a full secret leak response: rotate the compromised secret, verify Flux picks up the new encrypted value, confirm the application restarts with the new secret, and document the complete response timeline.

Verification Checklist

• backend-secrets.yaml in Git is encrypted (ENC[...] values).
• secrets-develop Kustomization is Ready in Flux.
• backend-secrets exists in the cluster namespace.
• No plaintext values appear in the Git commit history.
• Local pre-commit no-secrets check passes.

Done When

You have completed this chapter when:

• You can explain why a git revert is insufficient after a secret leak.
• You have successfully demonstrated the encrypt -> commit -> Flux decrypt workflow.
• You can identify common decryption failures (missing keys, incorrect config).

Knowledge Check

Before finishing this chapter, complete the Quiz to verify your understanding of the guardrail principles.