orbstack-kubernetes/secrets.enc.yaml.example at main · dryvist/orbstack-kubernetes · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Copy this file to secrets.enc.yaml and encrypt with SOPS:
#   cp secrets.enc.yaml.example secrets.enc.yaml
#   sops secrets.enc.yaml
#
# Required secrets for kubernetes-monitoring deployment

# Doppler configuration (project and config for Cribl secrets)
DOPPLER_PROJECT: "your-doppler-project-here"
DOPPLER_CONFIG: "your-doppler-config-here"

# Cribl Cloud managed edge URL (tls://TOKEN@host:port?group=fleet)
# Alternative to Doppler: set this directly if not using Doppler
CRIBL_CLOUD_MASTER_URL: "tls://your-token-here@your-org.cribl.cloud:4200?group=default"

# Cribl Stream admin password
CRIBL_STREAM_PASSWORD: "your-stream-password-here"

# Splunk HEC token (standalone edge → Splunk)
# URL is derived at deploy time from SPLUNK_NETWORK terraform output
SPLUNK_HEC_TOKEN: "your-splunk-hec-token-here"

# AI container API keys (for ephemeral job containers)
CLAUDE_API_KEY: "your-claude-api-key-here"
GEMINI_API_KEY: "your-gemini-api-key-here"

# GitHub Copilot REST collector (org-level usage metrics via Stream pack)
# Requires a PAT with manage_billing:copilot and read:org scopes
GITHUB_COPILOT_PAT: "your-github-copilot-pat-here"
GITHUB_COPILOT_ORG: "your-github-org-here"

# Bifrost AI Gateway — API keys are managed by the Doppler Kubernetes Operator,
# NOT stored in SOPS. The operator syncs OPENAI_API_KEY, ANTHROPIC_API_KEY,
# GEMINI_API_KEY, OPENROUTER_API_KEY from Doppler ai-ci-automation/prd directly
# to a K8s Secret (bifrost-provider-keys). Bootstrap the operator with:
#   kubectl apply -f https://github.com/DopplerHQ/kubernetes-operator/releases/latest/download/recommended.yaml
#   kubectl create secret generic doppler-token-bifrost \
#     --namespace doppler-operator-system \
#     --from-literal=serviceToken="dp.st.prd.XXXX"