Handling secrets in Flux v2 repositories with SOPS

Introduction to SOPS

SOPS basics

gpg --full-generate-key
gpg --list-secret-keys ${your_email_address}
sec rsa4096 2021-02-04 [SC]
CFF53C2B937EAFD676F75C48F70573E9355BF63B
uid [ultimate] Leonid Koftun
ssb rsa4096 2021-02-04 [E]
cat <<EOF > secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: my-database-secret
namespace: awesome-namespace
stringData:
database-password: Password123
EOF
cat <<EOF > .sops.yaml
---
creation_rules:
- encrypted_regex: '^(data|stringData)$'
pgp: >-
CFF53C2B937EAFD676F75C48F70573E9355BF63B
EOF
# You can encrypt the file in-place
sops --encrypt --in-place secret.yaml
# Or write to a new file
sops --encrypt secret.yaml > encrypted-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: my-database-secret
namespace: awesome-namespace
stringData:
database-password: ENC[AES256_GCM,data:k8GGkwr4AE/CdlM=,iv:tecWFmg0INNY1vRfpdGLsDc+APd6UmKk6AS//U0OjI4=,tag:EEm7DHO7muNgpLOwUZh1Lw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-02-22T21:45:13Z'
mac: ENC[AES256_GCM,data:jhzW3o+XcFZgkvGzMb05GpM3hu1dmhRE74woFIeYQOtOy1jCXCp9WgyHar3XDp+1TkOOaN0myfRMe6uz/WmyyKXMPZNf5i4MlB053UUeL2RFMjaGjFlEgq7kG+aoke7+JVN3vTLCiP9fMb4aV3wfPy3hMp5d10wSmPhcfG6/Fww=,iv:07ToHHvJL5tzI5RZLEkfFj+tqJ1y/3XOlADB9TAIuS0=,tag:xlZWGsK5Isrr6GEpBU7YyA==,type:str]
pgp:
- created_at: '2021-02-22T21:45:13Z'
enc: |
-----BEGIN PGP MESSAGE-----
...
-----END PGP MESSAGE-----
fp: CFF53C2B937EAFD676F75C48F70573E9355BF63B
encrypted_regex: ^(data|stringData)$
version: 3.6.1
sops --decrypt encrypted-secret.yaml | kubectl apply -f -
  1. We need to make sure we only add encrypted secrets to source control.
  2. We need to decrypt secrets in our CI/CD scripts before we can deploy to a cluster.

Enabling SOPS in Flux v2

Create a Kubernetes secret with your private PGP key

# Find the ID of the private key.
gpg --list-secret-keys ${your_email_address}
sec rsa4096 2021-02-04 [SC]
CFF53C2B937EAFD676F75C48F70573E9355BF63B
uid [ultimate] Leonid Koftun
ssb rsa4096 2021-02-04 [E]

# Export the PGP secret to a new k8s secret
# in the flux-system namespace.
gpg --export-secret-keys \
--armor CFF53C2B937EAFD676F75C48F70573E9355BF63B |
kubectl create secret generic sops-gpg \
--namespace=flux-system \
--from-file=sops.asc=/dev/stdin

Setup cluster-side decryption in Flux

.
├── cluster
│ ├── awesome-namespace
│ │ └── namespace.yaml
│ └── flux-system
│ ├── gotk-components.yaml
│ ├── gotk-sync.yaml
│ └── kustomization.yaml
└── README.md
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 1m0s
ref:
branch: master
secretRef:
name: flux-system
url: ssh://git@github.com/sladkoff/home-cluster
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 10m0s
path: ./cluster
prune: true
sourceRef:
kind: GitRepository
name: flux-system
validation: client
# Enable decryption
decryption:
# Use the sops provider
provider: sops
secretRef:
# Reference the new 'sops-gpg' secret
name: sops-gpg

Summary

--

--

--

My name is Leo. I’m 26 years old and I do software development. I’m based in Munich.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How We Open Sourced An ESLint Plugin for Internationalization At OkCupid

Tableau — You made my DAE

Understanding DevOps

GCP Certification-let’s sail together.Structuredplan with sections:Database Products.

Apr 27th: Two SUM & Binary Search in Python

Creating a serverless contact form on AWS

Low code DirectX & Vulkan 3d engine comparison. (C++)

GlobaliD joins the Linux Foundation’s Cardea Project

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Leonid Koftun

Leonid Koftun

My name is Leo. I’m 26 years old and I do software development. I’m based in Munich.

More from Medium

Gitlab runner in EKS

Run containers securely with gVisor on EKS

Argo 101 — What is Argo?

Deploying Prometheus Monitoring Stack with Cluster.dev