Migrate secrets managed to Flux & SOPS

[stefanprodan]

I suggest using Flux native secrets decryption that works great with CNCF SOPS and Age encryption.

The main advantage of using Flux+SOPS is that, unlike Sealed Secrets which relies on static keys, Flux can use Cloud KMS or Hashicorp Vault.

Migration steps

After the Flux bootstrap step, we'll generate an Age key pair. The public key will be stored in the repo for users to encrypt Kubernetes Secrets. The private key will be stored in the cluster for Flux to decryption the Kubernetes Secrets.

Tools

Install SOPS and Age:

brew install age sops

Key setup

Generate a key pair with Age:

age-keygen -o private.agekey

Create a Kubenetes Secret in the flux-system namespace with the private key:

kubectl create secret generic sops-age \
--namespace=flux-system \
--from-file=private.agekey

Save the public key to a file in the repo:

age-keygen -y private.agekey > public.agekey

Delete the private key from the repo to avoid pushing it upstream:

rm private.agekey

Note that the private key should be stored in a safe place like a Vault and used for DR.

Encrypt Kubernetes Secrets

Kubernetes Secrets in YAML format created with kubectl, can be encrypted in-place with SOPS:

sops --age=$(cat public.agekey) \
--encrypt --encrypted-regex '^(data|stringData)$' \
--in-place apps/staging/client-credentials.yaml

Configure Flux decryption

Add the decryption section to the Flux infra and apps Kustomizations:

spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg

[gphilipp]

Shouldn't that be

spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-age

instead?

[stefanprodan]

Yes, it should be sops-age

[gphilipp]

Hi Stefan, I’ve updated all the instructions in #2, including using SOPS instead of Sealed Secrets. I still have a small issue where the client-credential secret isn’t created automatically 🤔