Secrets
Almost all services require some kind of secret value at runtime. In order to store those secrets safely inside the Git repository I use Mozilla SOPS which is natively supported by Flux – more precisely, I use age as an algorithm for encryption.
Info
Please keep in mind that this page is only meant as an example implementation of my workflow. You're free to adapt it, but you will need to adjust it by yourself.
Prerequisites
It is required to have SOPS and age installed on your machine. You can leverage brew for that:
You also need to generate a key for age and enable the Flux controllers to decrypt your secrets.
Store age key in environment variable
This repository provides some task definitions to easily maintain SOPS encrypted files. To use them you just need to ensure your age public key is available in an environment variable called AGE_PUBLIC_KEY.
Workflow
Let's assume you want to deploy an application which needs the following secret to connect to a database:
| db-user.sops.yaml | |
|---|---|
To store the secret safely in the Git repository, you would do the following:
- You create the secret manifest locally and name it e.g.
db-user.sops.yaml - Encrypt the file using SOPS &
age - Specify the secret inside the
Deploymentas you normally would - Commit the files to the Git repository
As soon as the commit is pushed to the Git repository, the following happens inside the cluster:
source-controllerpulls the changes from Gitkustomize-controllerloads theagekeys from thesops-agesecretkustomize-controllerdecrypts your secret and applies it on the cluster
Commands
Encryption
The following commands allow you to encrypt any YAML or JSON file and store it inside the Git repository:
Decryption
If you need to modify the secret value later on, you can decrypt it locally – as long as the private age key exists on your machine: