Summary

• install sops-secrets-operator as the highest-priority bootstrap child Application at sync-wave -2
• add a sync hook at wave -1 that waits for the SopsSecret CRD before existing KSOPS-dependent bootstrap waves continue
• document the KSOPS replacement validation path and no-bootstrap target using the now-hosted static OIDC issuer at https://makeitwork.cloud/oidc

Validation

• scanned YAML/Markdown for explicit AWS account IDs, KMS ARNs/object IDs, and AWS access-key env names
• kustomize build bootstrap
• pre-commit run --all-files

Notes

• This is additive only: it does not migrate secrets, add AWS credentials, add KMS identifiers, or deprecate KSOPS.
• The operator is installed without static AWS credentials; KMS-backed SopsSecret reconciliation requires follow-up ambient AWS auth via the static OIDC issuer, k3s ServiceAccount issuer/signing configuration, and AWS IAM trust.
• The wait hook checks only CRD availability to avoid a bootstrap dependency loop.