This is a kubernetes project. You will need to have the following tools available to deal with it:
Currently the project is being managed from Windows Powershell. So
this is the language of the scripts you find in the scripts
directory. All tools are also available for other platforms so you
are not forced to use Windows, though.
kubectl
This is teh stabdard kubernetes command line tool for.
helm
This is the kubernetes package manager, helm
packages are called
charts
. We use helm
for third party packages and we also write
our own helm
charts
which can be found in the directory
helmcharts
.
helmfile
This describes the whole project within a single file -- the
helmfile
. So it can be considers as project management tool. The
helmfile
references all helm
charts
as well as the
correspoding configuration and secrets.
sops
This tool is used for secret encrytion. It interfaces lower level
encryption tools like gpg
and allows for multiuser features and
better git
integration.
gpg
This is the low-level encryption tool used by sops when involving
developer keys. Each developer has his or her own gpg
key pair.
sops
will encrypt all secrets using its a file-dependent master
key which in turn will be encrypted by the gpg
keys of all
involved developers.
openssl
openssl
is needed when creating new kubernetes user accounts --
as in fact a kubernetes user is nothing more than as an X509
certificate signed by the kubernetes server.
helm-secrets
This tool allows for the integration of helm
and sops
.
This project is developed with kubernetes contexts in mind. A
context consists
of a kubernetes server, a namespace (usually the namespace
will be fairagro
) and a user account. All components of this
project are always installed into the same namespace.
You can consider the combination of server and namespace as an
environment, each with its own
configurations and secrets. Currently the environment
'corki/fairagro'
is used for development/staging while the environment
'draven/fairagro' is used for production.
All active environments are kept with in the project in the
environments
directory.
Each user (aka developer) will need to manage his own kubeconfig
files that include his personal access keys for kubernetes. The
included Windows Powershell scripts expect the kubeconfig file to
be stored in the folder
%USERPROFILE%\.k8s_config\<servername>_<namespace>
.
So there will be one kubeconfig file per environment. It is
expected that each developer will only have one user account per
environment. This user will have admin right in the corresponding
namespace.
You can change the current context with the script
set_context.ps1
. Note that it needs to be dot-sourced. E.g.:
. scripts/set_context.ps1 corki fairagro
This script will also load all public gpg keys used by sops
into
your gpg
keyring and set command aliases for kubectl
, helm
,
helmfile
and sops
.
Secrets are managed per environment (as other configuration). You
will
find a secrets
folder within each environment. Secrets files are
encrypted with sops
and always end in '.enc.yaml'. They are
referenced in the 'helmfile.yaml' for each release.
sops
manages secret encryption using gpg
for each developer.
There will also be secret encryption for the continuous deployment
pipeline which will probably use age
.
Within each environment folder you will find a file '.sops.yaml'
that defines the behavior of sops
for all files within the
directory as well as all sub-directories. You will notice that
files ending in '.enc.yaml' are encrypted using the gpg keys of all
active developers. Note that only the public keys of the developers
are needed for encryption, so every developer can encrypt secrets
for all other developers (as well as the CD pipeline). Only for
decryption the private key will be required. Note also that the
public keys of all active developers are included in the
public_keys
folder of each environment. These keys will be loaded
automatically into your gpg
keyring when you use the script
set_context.ps1
.
Currently secrets files created by extracting secrets from
a 'values.yaml' file as needed by helm
. These secrets are copied
to a corresponding secret file that has to be encrypted using
sops
. Secret files are merged into the helm charts values upon
execution of helm
/helmfile
. If you use VisualStudio Code you
can install the 'vscode-sops' plugin that will automatically
encrypt all files according to the '.sops.yaml' file.