diff --git a/README.md b/README.md index 0ce3660..368ef77 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,9 @@ Setup the cluster's backbone ``` kubectl apply -k environment/dev ``` + +DO NOT FORGET TO INSTALL THE SOPS PART + NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs ### Convert helm chart to k3s manifest @@ -106,3 +109,12 @@ To only expose a service internally, the domain name should be *.beta.entos ### Ingresses To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation. `traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access. + +### Secret management +All secrets are encrypted using SOPS and stored in a private secret repository. +Secrets are decrypted on the fly when applied to the kluster using the SOPS Operator. + +Inject the AGE key in the cluster to allow the operator to decrypt secrets : +``` +kubectl create secret generic age-key --from-file= -n sops +``` diff --git a/sops-operator/cluster_role.yaml b/sops-operator/cluster_role.yaml new file mode 100644 index 0000000..e63457f --- /dev/null +++ b/sops-operator/cluster_role.yaml @@ -0,0 +1,75 @@ +--- +# Source: sops-secrets-operator/templates/cluster_role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sops-sops-secrets-operator + namespace: sops + labels: + app.kubernetes.io/name: sops-secrets-operator + helm.sh/chart: sops-secrets-operator-0.14.1 + app.kubernetes.io/instance: sops + app.kubernetes.io/version: "0.8.1" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - '*' +- apiGroups: + - "" + resources: + - secrets/status + verbs: + - get + - patch + - update +- apiGroups: + - events.k8s.io + - "" + resources: + - events + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - isindir.github.com + resources: + - sopssecrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - isindir.github.com + resources: + - sopssecrets/finalizers + verbs: + - update +- apiGroups: + - isindir.github.com + resources: + - sopssecrets/status + verbs: + - get + - patch + - update diff --git a/sops-operator/cluster_role_binding.yaml b/sops-operator/cluster_role_binding.yaml new file mode 100644 index 0000000..210bc9d --- /dev/null +++ b/sops-operator/cluster_role_binding.yaml @@ -0,0 +1,21 @@ +--- +# Source: sops-secrets-operator/templates/cluster_role_binding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: sops-sops-secrets-operator + namespace: sops + labels: + app.kubernetes.io/name: sops-secrets-operator + helm.sh/chart: sops-secrets-operator-0.14.1 + app.kubernetes.io/instance: sops + app.kubernetes.io/version: "0.8.1" + app.kubernetes.io/managed-by: Helm +subjects: +- kind: ServiceAccount + name: sops-sops-secrets-operator + namespace: sops +roleRef: + kind: ClusterRole + name: sops-sops-secrets-operator + apiGroup: rbac.authorization.k8s.io diff --git a/sops-operator/kustomization.yaml b/sops-operator/kustomization.yaml new file mode 100644 index 0000000..e4f84d0 --- /dev/null +++ b/sops-operator/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: sops + +resources: + - cluster_role_binding.yaml + - cluster_role.yaml + - operator.yaml + - service_account.yaml diff --git a/sops-operator/operator.yaml b/sops-operator/operator.yaml new file mode 100644 index 0000000..eb8047b --- /dev/null +++ b/sops-operator/operator.yaml @@ -0,0 +1,74 @@ +--- +# Source: sops-secrets-operator/templates/operator.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sops-sops-secrets-operator + namespace: sops + labels: + app.kubernetes.io/name: sops-secrets-operator + helm.sh/chart: sops-secrets-operator-0.14.1 + app.kubernetes.io/instance: sops + app.kubernetes.io/version: "0.8.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: sops-secrets-operator + app.kubernetes.io/instance: sops + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: sops-secrets-operator + labels: + control-plane: controller-sops-secrets-operator + app.kubernetes.io/name: sops-secrets-operator + app.kubernetes.io/instance: sops + spec: + serviceAccountName: sops-sops-secrets-operator + containers: + - name: sops-secrets-operator + image: "isindir/sops-secrets-operator:0.8.1" + imagePullPolicy: Always + volumeMounts: + - name: age-key + mountPath: /sops + readOnly: true + command: + - /usr/local/bin/manager + args: + # The address the metric endpoint binds to. (default ":8080") + #- "--metrics-bind-address=127.0.0.1:8080" + - "--health-probe-bind-address=:8081" + # Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. + - "--leader-elect" + - "--requeue-decrypt-after=5" + - "--zap-encoder=json" + - "--zap-log-level=info" + - "--zap-stacktrace-level=error" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SOPS_AGE_KEY_FILE + value: "/sops/key.txt" + resources: + {} + volumes: + - name: age-key + secret: + secretName: age-key diff --git a/sops-operator/service_account.yaml b/sops-operator/service_account.yaml new file mode 100644 index 0000000..39bdd6f --- /dev/null +++ b/sops-operator/service_account.yaml @@ -0,0 +1,13 @@ +--- +# Source: sops-secrets-operator/templates/service_account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sops-sops-secrets-operator + namespace: sops + labels: + app.kubernetes.io/name: sops-secrets-operator + helm.sh/chart: sops-secrets-operator-0.14.1 + app.kubernetes.io/instance: sops + app.kubernetes.io/version: "0.8.1" + app.kubernetes.io/managed-by: Helm