feat(sops): Add auto secret management using SOPS

This commit is contained in:
Tanguy Herbron 2023-03-16 01:58:21 +01:00
parent 9738c58f92
commit e6d25f5d60
6 changed files with 204 additions and 0 deletions

View File

@ -85,6 +85,9 @@ Setup the cluster's backbone
``` ```
kubectl apply -k environment/dev kubectl apply -k environment/dev
``` ```
DO NOT FORGET TO INSTALL THE SOPS PART
NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs
### Convert helm chart to k3s manifest ### Convert helm chart to k3s manifest
@ -106,3 +109,12 @@ To only expose a service internally, the domain name should be *.beta.entos
### Ingresses ### Ingresses
To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation. To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation.
`traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access. `traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access.
### Secret management
All secrets are encrypted using SOPS and stored in a private secret repository.
Secrets are decrypted on the fly when applied to the kluster using the SOPS Operator.
Inject the AGE key in the cluster to allow the operator to decrypt secrets :
```
kubectl create secret generic age-key --from-file=<path_to_file> -n sops
```

View File

@ -0,0 +1,75 @@
---
# Source: sops-secrets-operator/templates/cluster_role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sops-sops-secrets-operator
namespace: sops
labels:
app.kubernetes.io/name: sops-secrets-operator
helm.sh/chart: sops-secrets-operator-0.14.1
app.kubernetes.io/instance: sops
app.kubernetes.io/version: "0.8.1"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- '*'
- apiGroups:
- ""
resources:
- secrets/status
verbs:
- get
- patch
- update
- apiGroups:
- events.k8s.io
- ""
resources:
- events
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- isindir.github.com
resources:
- sopssecrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- isindir.github.com
resources:
- sopssecrets/finalizers
verbs:
- update
- apiGroups:
- isindir.github.com
resources:
- sopssecrets/status
verbs:
- get
- patch
- update

View File

@ -0,0 +1,21 @@
---
# Source: sops-secrets-operator/templates/cluster_role_binding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sops-sops-secrets-operator
namespace: sops
labels:
app.kubernetes.io/name: sops-secrets-operator
helm.sh/chart: sops-secrets-operator-0.14.1
app.kubernetes.io/instance: sops
app.kubernetes.io/version: "0.8.1"
app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: sops-sops-secrets-operator
namespace: sops
roleRef:
kind: ClusterRole
name: sops-sops-secrets-operator
apiGroup: rbac.authorization.k8s.io

View File

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: sops
resources:
- cluster_role_binding.yaml
- cluster_role.yaml
- operator.yaml
- service_account.yaml

View File

@ -0,0 +1,74 @@
---
# Source: sops-secrets-operator/templates/operator.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: sops-sops-secrets-operator
namespace: sops
labels:
app.kubernetes.io/name: sops-secrets-operator
helm.sh/chart: sops-secrets-operator-0.14.1
app.kubernetes.io/instance: sops
app.kubernetes.io/version: "0.8.1"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: sops-secrets-operator
app.kubernetes.io/instance: sops
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: sops-secrets-operator
labels:
control-plane: controller-sops-secrets-operator
app.kubernetes.io/name: sops-secrets-operator
app.kubernetes.io/instance: sops
spec:
serviceAccountName: sops-sops-secrets-operator
containers:
- name: sops-secrets-operator
image: "isindir/sops-secrets-operator:0.8.1"
imagePullPolicy: Always
volumeMounts:
- name: age-key
mountPath: /sops
readOnly: true
command:
- /usr/local/bin/manager
args:
# The address the metric endpoint binds to. (default ":8080")
#- "--metrics-bind-address=127.0.0.1:8080"
- "--health-probe-bind-address=:8081"
# Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
- "--leader-elect"
- "--requeue-decrypt-after=5"
- "--zap-encoder=json"
- "--zap-log-level=info"
- "--zap-stacktrace-level=error"
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SOPS_AGE_KEY_FILE
value: "/sops/key.txt"
resources:
{}
volumes:
- name: age-key
secret:
secretName: age-key

View File

@ -0,0 +1,13 @@
---
# Source: sops-secrets-operator/templates/service_account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: sops-sops-secrets-operator
namespace: sops
labels:
app.kubernetes.io/name: sops-secrets-operator
helm.sh/chart: sops-secrets-operator-0.14.1
app.kubernetes.io/instance: sops
app.kubernetes.io/version: "0.8.1"
app.kubernetes.io/managed-by: Helm