Example repository for configuring in-cluster decryption of SOPS-encrypted
secrets with age using Flux
. This closely follows Flux's documentation.
Begin by initialising the flux controller and configuring it to pull from a Git repo:
export GITHUB_OWNER=1602077
export GITHUB_REPO=flux-sops-example
flux bootstrap github \
--token-auth \
--owner=$GITHUB_OWNER \
--repository=$GITHUB_REPO \
--branch=main \
--path=clusters/minikube \
--personal \
--export
Access to your repository if private is handled via a PAT token which you will
need to provide on running the command. This token is stored in the
flux-system
namespace under flux-system
.
Verify your access to the repository by running flux get source git
- there
should be a new source artefact under gitrepository/flux-system
.
age
is recommended over gpg
for encryption. Generate your public key by
running:
[ ! $(command -v age) ] || brew install age
AGE_PUBLIC_KEY=$(age-keygen -o age.agekey 2>&1 | awk '{print $3}')
This will generate an age.agekey
in your pwd
. It should not be committed
to source control under any circumstance and should ideally be backed up in an
external vault.
The public key can be committed to your repository such that other people can
encrypt keys however the AGE-SECRET-KEY
must not as this can be used to
decrypt secrets.
To encrypt your secrets with age
use:
sops --age=${AGE_PUBLIC_KEY} \
--encrypt --encrypted-regex '^(data|stringData)$' --in-place basic-auth.yaml
Flux
natively supports the decryption of secrets - to configure write the
signing and private key as a secret to your cluster using:
cat age.agekey |
kubectl create secret generic sops-age \
--namespace=flux-system \
--from-file=age.agekey=/dev/stdin
secret/sops-age created
Once your secrets are encrypted with sops
edit the cluster
root apps.yaml
file to configure decryption
:
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: flux-system
spec:
interval: 10m0s
sourceRef:
kind: GitRepository
name: flux-system
path: ./apps/minikube
prune: true
wait: true
timeout: 5m0s
decryption:
provider: sops
secretRef:
name: sops-age
This references the age
secret created earlier to handle decryption.
Or you can create an isolated kustomization
using:
flux create kustomization secrets \
--source=flux-system \
--path=./apps/minikube/secrets \
--prune=true \
--interval=10m \
--decryption-provider=sops \
--decryption-secret=sops-age \
--export