Update Environments
parent
ae6a7a6910
commit
e3a8f9126f
1 changed files with 107 additions and 101 deletions
208
Environments.md
208
Environments.md
|
|
@ -1,101 +1,107 @@
|
|||
# Environments
|
||||
|
||||
## Variables
|
||||
{WIP}
|
||||
|
||||
## Secret
|
||||
|
||||
{WIP}
|
||||
### Encryption
|
||||
|
||||
In regard of GitOps there is multiple way to handle encryption of secret that
|
||||
live within a git repository. We recommending you to use [SOPS](https://getsops.io/) as
|
||||
you encryption engine.
|
||||
|
||||
We have already Setup a key [Private key](Path_to_sops_private_key) dedicated
|
||||
to your namespace that will be able to decrypt any secret that you is in your git repository.
|
||||
|
||||
|
||||
[`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) is the configuration file that will
|
||||
handle how you secret will be encrypted while using sops.
|
||||
|
||||
#### Quick Start
|
||||
|
||||
To work with secret you'll need:
|
||||
* [SOPS stable release](https://github.com/getsops/sops/releases)
|
||||
* [age](https://age-encryption.org/)
|
||||
|
||||
##### Create your own key
|
||||
|
||||
###### Linux
|
||||
|
||||
```shell
|
||||
mkdir -p $XDG_CONFIG_HOME/sops/age
|
||||
age-keygen -o $XDG_CONFIG_HOME/sops/age/keys.txt
|
||||
```
|
||||
###### MacOS
|
||||
|
||||
```shell
|
||||
mkdir -p "$HOME/Library/Application Support/sops/age"
|
||||
age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt"
|
||||
```
|
||||
##### Propagate your Public key
|
||||
|
||||
Edit the [`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) file and add your public key
|
||||
that you have generated previously.
|
||||
|
||||
Please notice that you can copy this file into any subfolder of your project in case you need to have different keys depending
|
||||
on your secrets file. This is useful to limit who has access to the production secrets while all developers might have access to
|
||||
the dev secrets.
|
||||
|
||||
|
||||
```shell
|
||||
$ cat .sops.yaml
|
||||
---
|
||||
|
||||
# This example uses YAML anchors which allows reuse of multiple keys
|
||||
# without having to repeat yourself.
|
||||
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
|
||||
# for a more complex example.
|
||||
keys:
|
||||
age:
|
||||
- &cluster_age_key age13jnzxrtrghlh8zvc9q3d8yd2a9xdp8jset72l8dwz6pept3j3c0qkmxd47
|
||||
- &YOUR_KEY_NAME <PUBLIC_KEY>
|
||||
creation_rules:
|
||||
- path_regex: .+secret(\.sops)?\.ya?ml
|
||||
input_type: yaml
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
key_groups:
|
||||
- age: &key_groups
|
||||
- *cluster_age_key
|
||||
- *YOUR_KEY_NAME
|
||||
- path_regex: .+secret(\.sops)?\.env
|
||||
input_type: env
|
||||
key_groups:
|
||||
- age: *key_groups
|
||||
stores:
|
||||
yaml:
|
||||
indent: 2
|
||||
```
|
||||
##### Create your first secret
|
||||
|
||||
```
|
||||
$ sops name_of_you_file.secret.sops.yaml
|
||||
|
||||
```
|
||||
You can then deploy it the cluster will be able to Decrypt it using it's public
|
||||
key
|
||||
|
||||
##### Rewrapping secret
|
||||
|
||||
In case add/remove a key secret generated previously will need to be
|
||||
reencrypted with the appropriate key. We have place a [shell
|
||||
script](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/scripts/rewrap-secrets.sh) that will do that for you.
|
||||
|
||||
It will reencrypt all the secret that it will find in folder and subfolder
|
||||
following the .sops.yaml rules files of your directory.
|
||||
|
||||
|
||||
| :boom: INFOS |
|
||||
|:----------------------------|
|
||||
| You can have as many .sops.yaml file as you want in your repository |
|
||||
# Environments
|
||||
|
||||
## Variables
|
||||
{WIP}
|
||||
|
||||
## Secret
|
||||
|
||||
{WIP}
|
||||
### Encryption
|
||||
|
||||
In regard of GitOps there is multiple way to handle encryption of secret that
|
||||
live within a git repository. We recommending you to use [SOPS](https://getsops.io/) as
|
||||
you encryption engine.
|
||||
|
||||
We have already Setup a key [Private key](Path_to_sops_private_key) dedicated
|
||||
to your namespace that will be able to decrypt any secret that you is in your git repository.
|
||||
|
||||
|
||||
[`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) is the configuration file that will
|
||||
handle how you secret will be encrypted while using sops.
|
||||
|
||||
#### Quick Start
|
||||
|
||||
To work with secret you'll need:
|
||||
* [SOPS stable release](https://github.com/getsops/sops/releases)
|
||||
* [age](https://age-encryption.org/)
|
||||
|
||||
##### Create your own key
|
||||
|
||||
###### Linux
|
||||
|
||||
```shell
|
||||
mkdir -p $XDG_CONFIG_HOME/sops/age
|
||||
age-keygen -o $XDG_CONFIG_HOME/sops/age/keys.txt
|
||||
```
|
||||
###### MacOS
|
||||
|
||||
```shell
|
||||
mkdir -p "$HOME/Library/Application Support/sops/age"
|
||||
age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt"
|
||||
```
|
||||
##### Propagate your Public key
|
||||
|
||||
Edit the [`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) file and add your public key
|
||||
that you have generated previously.
|
||||
|
||||
Please notice that you can copy this file into any subfolder of your project in case you need to have different keys depending
|
||||
on your secrets file. This is useful to limit who has access to the production secrets while all developers might have access to
|
||||
the dev secrets.
|
||||
|
||||
|
||||
```shell
|
||||
$ cat .sops.yaml
|
||||
---
|
||||
|
||||
# This example uses YAML anchors which allows reuse of multiple keys
|
||||
# without having to repeat yourself.
|
||||
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
|
||||
# for a more complex example.
|
||||
keys:
|
||||
age:
|
||||
- &cluster_age_key age13jnzxrtrghlh8zvc9q3d8yd2a9xdp8jset72l8dwz6pept3j3c0qkmxd47
|
||||
- &YOUR_KEY_NAME <PUBLIC_KEY>
|
||||
creation_rules:
|
||||
- path_regex: .+secret(\.sops)?\.ya?ml
|
||||
input_type: yaml
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
key_groups:
|
||||
- age: &key_groups
|
||||
- *cluster_age_key
|
||||
- *YOUR_KEY_NAME
|
||||
- path_regex: .+secret(\.sops)?\.env
|
||||
input_type: env
|
||||
key_groups:
|
||||
- age: *key_groups
|
||||
stores:
|
||||
yaml:
|
||||
indent: 2
|
||||
```
|
||||
##### Create your first secret
|
||||
|
||||
```
|
||||
$ sops name_of_you_file.secret.sops.yaml
|
||||
|
||||
```
|
||||
You can then deploy it the cluster will be able to Decrypt it using it's public
|
||||
key
|
||||
|
||||
##### Edit secrets
|
||||
|
||||
You can use the same command used to create new secrets to edit existing files
|
||||
|
||||
You can also use [this VSCode plugin](https://marketplace.visualstudio.com/items?itemName=signageos.signageos-vscode-sops)
|
||||
|
||||
##### Rewrapping secret
|
||||
|
||||
In case add/remove a key secret generated previously will need to be
|
||||
reencrypted with the appropriate key. We have place a [shell
|
||||
script](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/scripts/rewrap-secrets.sh) that will do that for you.
|
||||
|
||||
It will reencrypt all the secret that it will find in folder and subfolder
|
||||
following the .sops.yaml rules files of your directory.
|
||||
|
||||
|
||||
| :boom: INFOS |
|
||||
|:----------------------------|
|
||||
| You can have as many .sops.yaml file as you want in your repository |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue