diff --git a/Environments.md b/Environments.md index 4fb26bc..d84218c 100644 --- a/Environments.md +++ b/Environments.md @@ -1,101 +1,107 @@ -# Environments - -## Variables -{WIP} - -## Secret - -{WIP} -### Encryption - -In regard of GitOps there is multiple way to handle encryption of secret that -live within a git repository. We recommending you to use [SOPS](https://getsops.io/) as -you encryption engine. - -We have already Setup a key [Private key](Path_to_sops_private_key) dedicated -to your namespace that will be able to decrypt any secret that you is in your git repository. - - -[`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) is the configuration file that will -handle how you secret will be encrypted while using sops. - -#### Quick Start - -To work with secret you'll need: -* [SOPS stable release](https://github.com/getsops/sops/releases) -* [age](https://age-encryption.org/) - -##### Create your own key - -###### Linux - -```shell -mkdir -p $XDG_CONFIG_HOME/sops/age -age-keygen -o $XDG_CONFIG_HOME/sops/age/keys.txt -``` -###### MacOS - -```shell -mkdir -p "$HOME/Library/Application Support/sops/age" -age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt" -``` -##### Propagate your Public key - -Edit the [`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) file and add your public key -that you have generated previously. - -Please notice that you can copy this file into any subfolder of your project in case you need to have different keys depending -on your secrets file. This is useful to limit who has access to the production secrets while all developers might have access to -the dev secrets. - - -```shell -$ cat .sops.yaml - --- - - # This example uses YAML anchors which allows reuse of multiple keys - # without having to repeat yourself. - # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml - # for a more complex example. - keys: - age: - - &cluster_age_key age13jnzxrtrghlh8zvc9q3d8yd2a9xdp8jset72l8dwz6pept3j3c0qkmxd47 - - &YOUR_KEY_NAME - creation_rules: - - path_regex: .+secret(\.sops)?\.ya?ml - input_type: yaml - encrypted_regex: ^(data|stringData)$ - key_groups: - - age: &key_groups - - *cluster_age_key - - *YOUR_KEY_NAME - - path_regex: .+secret(\.sops)?\.env - input_type: env - key_groups: - - age: *key_groups - stores: - yaml: - indent: 2 -``` -##### Create your first secret - -``` -$ sops name_of_you_file.secret.sops.yaml - -``` -You can then deploy it the cluster will be able to Decrypt it using it's public -key - -##### Rewrapping secret - -In case add/remove a key secret generated previously will need to be -reencrypted with the appropriate key. We have place a [shell -script](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/scripts/rewrap-secrets.sh) that will do that for you. - -It will reencrypt all the secret that it will find in folder and subfolder -following the .sops.yaml rules files of your directory. - - -| :boom: INFOS | -|:----------------------------| -| You can have as many .sops.yaml file as you want in your repository | +# Environments + +## Variables +{WIP} + +## Secret + +{WIP} +### Encryption + +In regard of GitOps there is multiple way to handle encryption of secret that +live within a git repository. We recommending you to use [SOPS](https://getsops.io/) as +you encryption engine. + +We have already Setup a key [Private key](Path_to_sops_private_key) dedicated +to your namespace that will be able to decrypt any secret that you is in your git repository. + + +[`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) is the configuration file that will +handle how you secret will be encrypted while using sops. + +#### Quick Start + +To work with secret you'll need: +* [SOPS stable release](https://github.com/getsops/sops/releases) +* [age](https://age-encryption.org/) + +##### Create your own key + +###### Linux + +```shell +mkdir -p $XDG_CONFIG_HOME/sops/age +age-keygen -o $XDG_CONFIG_HOME/sops/age/keys.txt +``` +###### MacOS + +```shell +mkdir -p "$HOME/Library/Application Support/sops/age" +age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt" +``` +##### Propagate your Public key + +Edit the [`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) file and add your public key +that you have generated previously. + +Please notice that you can copy this file into any subfolder of your project in case you need to have different keys depending +on your secrets file. This is useful to limit who has access to the production secrets while all developers might have access to +the dev secrets. + + +```shell +$ cat .sops.yaml + --- + + # This example uses YAML anchors which allows reuse of multiple keys + # without having to repeat yourself. + # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml + # for a more complex example. + keys: + age: + - &cluster_age_key age13jnzxrtrghlh8zvc9q3d8yd2a9xdp8jset72l8dwz6pept3j3c0qkmxd47 + - &YOUR_KEY_NAME + creation_rules: + - path_regex: .+secret(\.sops)?\.ya?ml + input_type: yaml + encrypted_regex: ^(data|stringData)$ + key_groups: + - age: &key_groups + - *cluster_age_key + - *YOUR_KEY_NAME + - path_regex: .+secret(\.sops)?\.env + input_type: env + key_groups: + - age: *key_groups + stores: + yaml: + indent: 2 +``` +##### Create your first secret + +``` +$ sops name_of_you_file.secret.sops.yaml + +``` +You can then deploy it the cluster will be able to Decrypt it using it's public +key + +##### Edit secrets + +You can use the same command used to create new secrets to edit existing files + +You can also use [this VSCode plugin](https://marketplace.visualstudio.com/items?itemName=signageos.signageos-vscode-sops) + +##### Rewrapping secret + +In case add/remove a key secret generated previously will need to be +reencrypted with the appropriate key. We have place a [shell +script](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/scripts/rewrap-secrets.sh) that will do that for you. + +It will reencrypt all the secret that it will find in folder and subfolder +following the .sops.yaml rules files of your directory. + + +| :boom: INFOS | +|:----------------------------| +| You can have as many .sops.yaml file as you want in your repository |