Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Mozilla SOPS decryption #95

Merged
merged 7 commits into from
Sep 2, 2020
Merged

Implement Mozilla SOPS decryption #95

merged 7 commits into from
Sep 2, 2020

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Sep 1, 2020
edited
Loading

This PR implements Mozilla SOPS decryption fix: #94

Example

In order to store secrets safely in a public or private Git repository, you can use Mozilla SOPS and encrypt your Kubernetes Secrets data with OpenPGP keys.

Generate a GPG key without passphrase using gnupg then use sops to encrypt a Kubernetes secret:

sops --pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 \
--encrypt --encrypted-regex '^(data|stringData)$' --in-place my-secret.yaml

Commit and push the encrypted file to Git.

Note that you should encrypt only the data section, encrypting the Kubernetes secret
metadata, kind or apiVersion is not supported by kustomize-controller.

Create a secret in the gitops-system namespace with the OpenPGP private key:

gpg --export-secret-keys --armor FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 |
kubectl -n gitops-system create secret generic sops-gpg \
--from-file=sops.asc=/dev/stdin

Configure decryption by referring the private key secret:

apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
kind: Kustomization
metadata:
  name: my-secrets
spec:
  interval: 5m
  path: "./"
  sourceRef:
    kind: GitRepository
    name: my-secrets
  decryption:
    provider: sops
    secretRef:
      name: sops-pgp

@stefanprodan stefanprodan added enhancement New feature or request area/kustomize Kustomize related issues and pull requests labels Sep 1, 2020
@stefanprodan stefanprodan requested a review from hiddeco September 1, 2020 12:54
@stefanprodan stefanprodan force-pushed the sops branch 2 times, most recently from dcb5ab7 to 30ac80c Compare September 1, 2020 15:13
hiddeco
hiddeco reviewed Sep 1, 2020
View reviewed changes
@hiddeco hiddeco force-pushed the sops branch 2 times, most recently from adb6ab4 to 812e83e Compare September 2, 2020 12:18
hiddeco
hiddeco approved these changes Sep 2, 2020
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to go to me for now. In a future iteration we should have a look at getting rid of the gpg binary as we now have full control over the process, and can now make it so that it does not have to fallback.

💯

@stefanprodan stefanprodan merged commit e59d1cd into master Sep 2, 2020
@stefanprodan stefanprodan deleted the sops branch September 2, 2020 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiddeco hiddeco hiddeco approved these changes

Assignees
No one assigned
Labels
area/kustomize Kustomize related issues and pull requests enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for Mozilla SOPS decryption
2 participants
@stefanprodan @hiddeco