GitOps and Secrets

GitOps is the supported deployment path. A commit to your configured repository changes application desired state; gh0stcloud reconciles it through Flux.

Secrets do not belong in Git. Use OpenBao and External Secrets.

Connect a repository

Open Applications.
Open the GitOps binding section.
Choose the transport type and enter the repository URL.
Enter branch and path.
Check the sanitized preview before saving.
Wait for Flux source and kustomization state to reconcile.

For examples, start with gh0stservice/ghc-gitops-example and read docs/02-gitops-binding.md.

Repository structure

Use a simple Kustomize structure first:

kustomize/
  base/
    <app>/
  overlays/
    ghc-basic/
      kustomization.yaml

Only add advanced overlays once the basic path reconciles.

Secrets workflow

Step	Owner
Create secret values in OpenBao under the tenant path shown by gh0stportal.	Tenant user
Define an `ExternalSecret` in GitOps that references the OpenBao path.	Tenant GitOps
External Secrets Operator creates a Kubernetes Secret in the namespace.	Platform runtime
Workload references the generated Kubernetes Secret.	Tenant GitOps

Never put the secret value itself in the repository.

Service accounts

Account	Use for
Flux service account	Flux `Kustomization` and HelmRelease reconciliation.
Workload service account	Application pods and runtime identity.

Do not use the Flux service account for workload pods unless gh0stportal explicitly tells you to.

RPC/function map

Portal action	gh0stplane surface
Load GitOps state	`GetTenantApplicationsWorkspace`
Save GitOps binding	`UpdateTenantGitOpsBinding`
Read OpenBao paths and secret workflow metadata	`GetTenantSecretWorkflow`
Read onboarding state and next actions	`GetTrialOnboardingWorkspace`

Before asking an agent to edit GitOps

Give the agent:

target namespace from Applications;
desired app name;
expected hostname from Network & Exposure;
storage intent/PVC name from Data & Services;
secret path names, not secret values;
the example repo link.