PostHog product analytics — sealing the API key

The gateway has a PostHog dual-fire bridge (see PR #895 / services/gateway/src/telemetry/infrastructure/posthogBridge.ts). When POSTHOG_API_KEY is set on the gateway pod, every event written to the internal telemetry_events table is also sent to PostHog. When the key is absent, the bridge is a no-op — no errors, no degraded behaviour.

This page is the runbook for setting / rotating the key in the EKS cluster.

Prerequisites (one-time)

brew install kubeseal

Confirm kubeseal --version works.

AWS + cluster auth

The Align AWS account is 869633161172 in eu-west-2. Make sure your AWS profile points at it and your kubectl context is the right EKS cluster.

# If you don't already have a profile, configure SSO interactively:
aws configure sso --profile align
# (You'll be prompted for SSO start URL, region, account, and role.)

# Then log in:
aws sso login --profile align
export AWS_PROFILE=align

# Point kubectl at the cluster (replace <CLUSTER_NAME>):
aws eks update-kubeconfig --region eu-west-2 --name <CLUSTER_NAME>

# Sanity check — you should see the align-preview and align-prod namespaces:
kubectl get ns | grep align

Sealing the key

Get your PostHog project API key (starts with phc_...) from PostHog → Project Settings → Project API Keys. The same key works for both preview and prod when you have a single PostHog project (typical for stealth / pre-launch).

make seal-posthog-preview   # prompts for phc_ key
make seal-posthog-prod      # prompts for phc_ key (same value is fine pre-launch)

Each target writes a SealedSecret to sealedsecrets/<env>/posthog.yaml. Commit and push:

git add sealedsecrets/preview/posthog.yaml sealedsecrets/prod/posthog.yaml
git commit -m "chore(secrets): add sealed PostHog project API key"
git push

ArgoCD picks up the new SealedSecret on its next sync (a few minutes). The gateway pod then restarts and POSTHOG_API_KEY is in its env. Events start flowing to PostHog within seconds of the next signup / connector enable / decision capture.

Verifying

After ArgoCD syncs:

# Confirm the secret exists in the cluster
kubectl get secret align-posthog -n align-preview

# Confirm the gateway pod has the env var
kubectl exec -n align-preview deploy/align-preview-gateway -- env | grep POSTHOG

Then trigger a signup on app.preview.align.tech and check PostHog → Live Events. You should see a signup event within ~10 seconds.

Rotating the key

In PostHog UI → Project Settings → Project API Keys, click Rotate
Re-run make seal-posthog-preview and make seal-posthog-prod with the new key
Commit, push, wait for ArgoCD sync

The gateway will pick up the new key on its next pod restart (ArgoCD usually triggers this automatically when the secret changes; if not, kubectl rollout restart deploy/align-<env>-gateway -n align-<env>).

Why one key for preview + prod is OK today

The plan is to split into two PostHog projects (Align — Preview, Align — Production) when there are real prod customers, so test data doesn't pollute the prod funnel. Today, with zero real prod customers, the simpler "one key everywhere" setup is fine and saves a few minutes of PostHog UI clicking.

Prerequisites (one-time)​

AWS + cluster auth​

Sealing the key​

Verifying​

Rotating the key​

Why one key for preview + prod is OK today​