K8s Clusters - `sealed-secrets-key` backups

morey-tech / homelab

0 stars 0 forks source link

K8s Clusters - `sealed-secrets-key` backups #3

Closed morey-tech closed 5 months ago

morey-tech commented 1 year ago

Using kubeseal to make secrets safe to store in a GitOps repo relies on the secrets created by the controller to restore if the cluster is lost. These should be backed up.

Docs ref.
Maybe use Ansible vault to make them safe to store in this repo and then deploy them before bootstrapping with Argo. This would make it easy to automate their deployment.
- Could store the Ansible vault key in the org's password manager to back that up.

morey-tech commented 1 year ago

Look into using GCP KMS to SOPS encrypt the backup. Also, see if Ansible Vault has a plugin for KMS.

morey-tech commented 5 months ago

Using external-secrets with bitwarden backing it now.

https://github.com/morey-tech/homelab/tree/bcb24d541555deab678f159195ecce89b916d31b/environments/rubrik/system/external-secrets