feat(sops): Add auto secret management using SOPS
This commit is contained in:
parent
9738c58f92
commit
e6d25f5d60
12
README.md
12
README.md
@ -85,6 +85,9 @@ Setup the cluster's backbone
|
|||||||
```
|
```
|
||||||
kubectl apply -k environment/dev
|
kubectl apply -k environment/dev
|
||||||
```
|
```
|
||||||
|
|
||||||
|
DO NOT FORGET TO INSTALL THE SOPS PART
|
||||||
|
|
||||||
NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs
|
NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs
|
||||||
|
|
||||||
### Convert helm chart to k3s manifest
|
### Convert helm chart to k3s manifest
|
||||||
@ -106,3 +109,12 @@ To only expose a service internally, the domain name should be *.beta.entos
|
|||||||
### Ingresses
|
### Ingresses
|
||||||
To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation.
|
To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation.
|
||||||
`traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access.
|
`traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access.
|
||||||
|
|
||||||
|
### Secret management
|
||||||
|
All secrets are encrypted using SOPS and stored in a private secret repository.
|
||||||
|
Secrets are decrypted on the fly when applied to the kluster using the SOPS Operator.
|
||||||
|
|
||||||
|
Inject the AGE key in the cluster to allow the operator to decrypt secrets :
|
||||||
|
```
|
||||||
|
kubectl create secret generic age-key --from-file=<path_to_file> -n sops
|
||||||
|
```
|
||||||
|
75
sops-operator/cluster_role.yaml
Normal file
75
sops-operator/cluster_role.yaml
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
---
|
||||||
|
# Source: sops-secrets-operator/templates/cluster_role.yaml
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: sops-sops-secrets-operator
|
||||||
|
namespace: sops
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: sops-secrets-operator
|
||||||
|
helm.sh/chart: sops-secrets-operator-0.14.1
|
||||||
|
app.kubernetes.io/instance: sops
|
||||||
|
app.kubernetes.io/version: "0.8.1"
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- coordination.k8s.io
|
||||||
|
resources:
|
||||||
|
- leases
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- secrets/status
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- apiGroups:
|
||||||
|
- events.k8s.io
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- events
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
|
- apiGroups:
|
||||||
|
- monitoring.coreos.com
|
||||||
|
resources:
|
||||||
|
- servicemonitors
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- create
|
||||||
|
- apiGroups:
|
||||||
|
- isindir.github.com
|
||||||
|
resources:
|
||||||
|
- sopssecrets
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- isindir.github.com
|
||||||
|
resources:
|
||||||
|
- sopssecrets/finalizers
|
||||||
|
verbs:
|
||||||
|
- update
|
||||||
|
- apiGroups:
|
||||||
|
- isindir.github.com
|
||||||
|
resources:
|
||||||
|
- sopssecrets/status
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- patch
|
||||||
|
- update
|
21
sops-operator/cluster_role_binding.yaml
Normal file
21
sops-operator/cluster_role_binding.yaml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
# Source: sops-secrets-operator/templates/cluster_role_binding.yaml
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: sops-sops-secrets-operator
|
||||||
|
namespace: sops
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: sops-secrets-operator
|
||||||
|
helm.sh/chart: sops-secrets-operator-0.14.1
|
||||||
|
app.kubernetes.io/instance: sops
|
||||||
|
app.kubernetes.io/version: "0.8.1"
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: sops-sops-secrets-operator
|
||||||
|
namespace: sops
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: sops-sops-secrets-operator
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
9
sops-operator/kustomization.yaml
Normal file
9
sops-operator/kustomization.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
namespace: sops
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- cluster_role_binding.yaml
|
||||||
|
- cluster_role.yaml
|
||||||
|
- operator.yaml
|
||||||
|
- service_account.yaml
|
74
sops-operator/operator.yaml
Normal file
74
sops-operator/operator.yaml
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
---
|
||||||
|
# Source: sops-secrets-operator/templates/operator.yaml
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: sops-sops-secrets-operator
|
||||||
|
namespace: sops
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: sops-secrets-operator
|
||||||
|
helm.sh/chart: sops-secrets-operator-0.14.1
|
||||||
|
app.kubernetes.io/instance: sops
|
||||||
|
app.kubernetes.io/version: "0.8.1"
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: sops-secrets-operator
|
||||||
|
app.kubernetes.io/instance: sops
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
kubectl.kubernetes.io/default-container: sops-secrets-operator
|
||||||
|
labels:
|
||||||
|
control-plane: controller-sops-secrets-operator
|
||||||
|
app.kubernetes.io/name: sops-secrets-operator
|
||||||
|
app.kubernetes.io/instance: sops
|
||||||
|
spec:
|
||||||
|
serviceAccountName: sops-sops-secrets-operator
|
||||||
|
containers:
|
||||||
|
- name: sops-secrets-operator
|
||||||
|
image: "isindir/sops-secrets-operator:0.8.1"
|
||||||
|
imagePullPolicy: Always
|
||||||
|
volumeMounts:
|
||||||
|
- name: age-key
|
||||||
|
mountPath: /sops
|
||||||
|
readOnly: true
|
||||||
|
command:
|
||||||
|
- /usr/local/bin/manager
|
||||||
|
args:
|
||||||
|
# The address the metric endpoint binds to. (default ":8080")
|
||||||
|
#- "--metrics-bind-address=127.0.0.1:8080"
|
||||||
|
- "--health-probe-bind-address=:8081"
|
||||||
|
# Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
|
||||||
|
- "--leader-elect"
|
||||||
|
- "--requeue-decrypt-after=5"
|
||||||
|
- "--zap-encoder=json"
|
||||||
|
- "--zap-log-level=info"
|
||||||
|
- "--zap-stacktrace-level=error"
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 20
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /readyz
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
env:
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: SOPS_AGE_KEY_FILE
|
||||||
|
value: "/sops/key.txt"
|
||||||
|
resources:
|
||||||
|
{}
|
||||||
|
volumes:
|
||||||
|
- name: age-key
|
||||||
|
secret:
|
||||||
|
secretName: age-key
|
13
sops-operator/service_account.yaml
Normal file
13
sops-operator/service_account.yaml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
# Source: sops-secrets-operator/templates/service_account.yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: sops-sops-secrets-operator
|
||||||
|
namespace: sops
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: sops-secrets-operator
|
||||||
|
helm.sh/chart: sops-secrets-operator-0.14.1
|
||||||
|
app.kubernetes.io/instance: sops
|
||||||
|
app.kubernetes.io/version: "0.8.1"
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
Loading…
Reference in New Issue
Block a user