fluxcd
/
kustomize-controller
mirror of https://github.com/fluxcd/kustomize-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add secrets decryption section to docs

This commit is contained in:
stefanprodan 2020-09-01 15:52:21 +03:00
parent e2743c72f2
commit 2f33ba0ae6
3 changed files with 51 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/e2e.yaml vendored
View File

@ -75,7 +75,7 @@ jobs:
run: | run: |
kubectl -n kustomize-system apply -k ./config/testdata/sops kubectl -n kustomize-system apply -k ./config/testdata/sops
kubectl -n kustomize-system wait kustomizations/sops --for=condition=ready --timeout=4m kubectl -n kustomize-system wait kustomizations/sops --for=condition=ready --timeout=4m
kubectl -n test2 get secrets/test --template={{.data.password}} | base64 -D | grep test kubectl -n test2 get secrets/test --template={{.data.password}} | base64 -d | grep test
- name: Logs - name: Logs
run: | run: |
kubectl -n kustomize-system logs deploy/source-controller kubectl -n kustomize-system logs deploy/source-controller

6
config/testdata/sops/keys.yaml vendored
View File

File diff suppressed because one or more lines are too long

50
docs/spec/v1alpha1/kustomization.md
View File

@ -18,7 +18,7 @@ type KustomizationSpec struct {
// Decrypt Kubernetes secrets before applying them on the cluster. // Decrypt Kubernetes secrets before applying them on the cluster.
// +optional // +optional
Decryption Decryption `json:"decryption,omitempty"` Decryption *Decryption `json:"decryption,omitempty"`
// The interval at which to apply the kustomization. // The interval at which to apply the kustomization.
// +required // +required
@ -75,7 +75,7 @@ type Decryption struct {
// The secret name containing the private OpenPGP keys used for decryption. // The secret name containing the private OpenPGP keys used for decryption.
// +optional // +optional
SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"` SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
} }
``` ```
@ -410,6 +410,52 @@ account. If the kustomization contains cluster level objects like CRDs or object
namespace, the reconciliation will fail since the account it runs under has no permissions to alter objects namespace, the reconciliation will fail since the account it runs under has no permissions to alter objects
outside of the `webapp` namespace. outside of the `webapp` namespace.
## Secrets decryption
In order to store secrets safely in a public or private Git repository,
you can use [Mozilla SOPS](https://github.com/mozilla/sops)
and encrypt your Kubernetes Secrets data with OpenPGP keys.
Generate a GPG key **without passphrase** using [gnupg](https://www.gnupg.org/)
then use sops to encrypt a Kubernetes secret:
```sh
sops --pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 \
--encrypt --encrypted-regex '^(data|stringData)$' --in-place my-secret.yaml
```
Commit and push the encrypted file to Git.
> **Note** that you should encrypt only the `data` section, encrypting the Kubernetes secret
> metadata, kind or apiVersion is not supported by kustomize-controller.
Create a secret in the `gitops-system` namespace with the OpenPGP private key:
```sh
gpg --export-secret-keys --armor FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 |
kubectl -n gitops-system create secret generic sops-gpg \
--from-file=sops.asc=/dev/stdin
```
Configure decryption by referring the private key secret:
```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
kind: Kustomization
metadata:
name: my-secrets
spec:
interval: 5m
path: "./"
sourceRef:
kind: GitRepository
name: my-secrets
decryption:
provider: sops
secretRef:
name: sops-pgp
```
## Status ## Status
When the controller completes a kustomization apply, reports the result in the `status` sub-resource. When the controller completes a kustomization apply, reports the result in the `status` sub-resource.