Neon Law Foundation | Secrets: the invariants that gate the boot

Secrets: the invariants that gate the boot

web fails loudly rather than degrading silently: a missing required value crashes startup with a structured enforce_prod_invariants error naming exactly what is absent. So a CrashLoopBackOff is almost always a missing secret:

kubectl logs deploy/navigator-web -n navigator

Presenter notes

The boot-invariant set is DATABASE_URL, RESTATE_BROKER_URL, NAVIGATOR_OPA_URL, NAVIGATOR_STORAGE_BACKEND=gcs, SESSION_SECRET, the SENDGRID_* keys, and DOCUSIGN_HMAC_KEY. The always-current list and every variable's meaning live in the canonical docs — this workshop deliberately does not copy them so it cannot drift. See docs/oss-install.md §4 and .env.example.

Two rules keep client data safe, and the deploy will not let you skip them. First, secrets never live in the manifest tree — create the runtime Secret with kubectl create secret out-of-band (the full --from-literal command is in oss-install.md §4), so credentials never enter Git. Second, one interface, your choice of source — NeonLaw keeps values in Doppler (dev for local and CI, prd rendered into Secret Manager); see docs/secrets-doppler.md. Doppler is optional: a fork can ignore it and use a gitignored .env instead. The env-var interface is identical either way.

View all slides