feat(sops): Add auto secret management using SOPS
This commit is contained in:
parent
9738c58f92
commit
e6d25f5d60
12
README.md
12
README.md
@ -85,6 +85,9 @@ Setup the cluster's backbone
|
||||
```
|
||||
kubectl apply -k environment/dev
|
||||
```
|
||||
|
||||
DO NOT FORGET TO INSTALL THE SOPS PART
|
||||
|
||||
NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs
|
||||
|
||||
### Convert helm chart to k3s manifest
|
||||
@ -106,3 +109,12 @@ To only expose a service internally, the domain name should be *.beta.entos
|
||||
### Ingresses
|
||||
To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation.
|
||||
`traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access.
|
||||
|
||||
### Secret management
|
||||
All secrets are encrypted using SOPS and stored in a private secret repository.
|
||||
Secrets are decrypted on the fly when applied to the kluster using the SOPS Operator.
|
||||
|
||||
Inject the AGE key in the cluster to allow the operator to decrypt secrets :
|
||||
```
|
||||
kubectl create secret generic age-key --from-file=<path_to_file> -n sops
|
||||
```
|
||||
|
75
sops-operator/cluster_role.yaml
Normal file
75
sops-operator/cluster_role.yaml
Normal file
@ -0,0 +1,75 @@
|
||||
---
|
||||
# Source: sops-secrets-operator/templates/cluster_role.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: sops-sops-secrets-operator
|
||||
namespace: sops
|
||||
labels:
|
||||
app.kubernetes.io/name: sops-secrets-operator
|
||||
helm.sh/chart: sops-secrets-operator-0.14.1
|
||||
app.kubernetes.io/instance: sops
|
||||
app.kubernetes.io/version: "0.8.1"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
rules:
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
- secrets
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- events.k8s.io
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- monitoring.coreos.com
|
||||
resources:
|
||||
- servicemonitors
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- apiGroups:
|
||||
- isindir.github.com
|
||||
resources:
|
||||
- sopssecrets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- isindir.github.com
|
||||
resources:
|
||||
- sopssecrets/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- isindir.github.com
|
||||
resources:
|
||||
- sopssecrets/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
21
sops-operator/cluster_role_binding.yaml
Normal file
21
sops-operator/cluster_role_binding.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
# Source: sops-secrets-operator/templates/cluster_role_binding.yaml
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: sops-sops-secrets-operator
|
||||
namespace: sops
|
||||
labels:
|
||||
app.kubernetes.io/name: sops-secrets-operator
|
||||
helm.sh/chart: sops-secrets-operator-0.14.1
|
||||
app.kubernetes.io/instance: sops
|
||||
app.kubernetes.io/version: "0.8.1"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: sops-sops-secrets-operator
|
||||
namespace: sops
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: sops-sops-secrets-operator
|
||||
apiGroup: rbac.authorization.k8s.io
|
9
sops-operator/kustomization.yaml
Normal file
9
sops-operator/kustomization.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: sops
|
||||
|
||||
resources:
|
||||
- cluster_role_binding.yaml
|
||||
- cluster_role.yaml
|
||||
- operator.yaml
|
||||
- service_account.yaml
|
74
sops-operator/operator.yaml
Normal file
74
sops-operator/operator.yaml
Normal file
@ -0,0 +1,74 @@
|
||||
---
|
||||
# Source: sops-secrets-operator/templates/operator.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: sops-sops-secrets-operator
|
||||
namespace: sops
|
||||
labels:
|
||||
app.kubernetes.io/name: sops-secrets-operator
|
||||
helm.sh/chart: sops-secrets-operator-0.14.1
|
||||
app.kubernetes.io/instance: sops
|
||||
app.kubernetes.io/version: "0.8.1"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: sops-secrets-operator
|
||||
app.kubernetes.io/instance: sops
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
kubectl.kubernetes.io/default-container: sops-secrets-operator
|
||||
labels:
|
||||
control-plane: controller-sops-secrets-operator
|
||||
app.kubernetes.io/name: sops-secrets-operator
|
||||
app.kubernetes.io/instance: sops
|
||||
spec:
|
||||
serviceAccountName: sops-sops-secrets-operator
|
||||
containers:
|
||||
- name: sops-secrets-operator
|
||||
image: "isindir/sops-secrets-operator:0.8.1"
|
||||
imagePullPolicy: Always
|
||||
volumeMounts:
|
||||
- name: age-key
|
||||
mountPath: /sops
|
||||
readOnly: true
|
||||
command:
|
||||
- /usr/local/bin/manager
|
||||
args:
|
||||
# The address the metric endpoint binds to. (default ":8080")
|
||||
#- "--metrics-bind-address=127.0.0.1:8080"
|
||||
- "--health-probe-bind-address=:8081"
|
||||
# Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
|
||||
- "--leader-elect"
|
||||
- "--requeue-decrypt-after=5"
|
||||
- "--zap-encoder=json"
|
||||
- "--zap-log-level=info"
|
||||
- "--zap-stacktrace-level=error"
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8081
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 20
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /readyz
|
||||
port: 8081
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: SOPS_AGE_KEY_FILE
|
||||
value: "/sops/key.txt"
|
||||
resources:
|
||||
{}
|
||||
volumes:
|
||||
- name: age-key
|
||||
secret:
|
||||
secretName: age-key
|
13
sops-operator/service_account.yaml
Normal file
13
sops-operator/service_account.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
# Source: sops-secrets-operator/templates/service_account.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: sops-sops-secrets-operator
|
||||
namespace: sops
|
||||
labels:
|
||||
app.kubernetes.io/name: sops-secrets-operator
|
||||
helm.sh/chart: sops-secrets-operator-0.14.1
|
||||
app.kubernetes.io/instance: sops
|
||||
app.kubernetes.io/version: "0.8.1"
|
||||
app.kubernetes.io/managed-by: Helm
|
Loading…
Reference in New Issue
Block a user