Open stefanprodan opened 11 months ago
Shouldn't that be
spec:
decryption:
provider: sops
secretRef:
name: sops-age
instead?
Yes, it should be sops-age
Hi Stefan, I’ve updated all the instructions in #2, including using SOPS instead of Sealed Secrets. I still have a small issue where the client-credential secret isn’t created automatically 🤔
I suggest using Flux native secrets decryption that works great with CNCF SOPS and Age encryption.
The main advantage of using Flux+SOPS is that, unlike Sealed Secrets which relies on static keys, Flux can use Cloud KMS or Hashicorp Vault.
Migration steps
After the Flux bootstrap step, we'll generate an Age key pair. The public key will be stored in the repo for users to encrypt Kubernetes Secrets. The private key will be stored in the cluster for Flux to decryption the Kubernetes Secrets.
Tools
Install SOPS and Age:
Key setup
Generate a key pair with Age:
Create a Kubenetes Secret in the flux-system namespace with the private key:
Save the public key to a file in the repo:
Delete the private key from the repo to avoid pushing it upstream:
Note that the private key should be stored in a safe place like a Vault and used for DR.
Encrypt Kubernetes Secrets
Kubernetes Secrets in YAML format created with kubectl, can be encrypted in-place with SOPS:
Configure Flux decryption
Add the
decryption
section to the Flux infra and apps Kustomizations: