document sops

2022-10-05 21:15:29 +02:00 · 2022-10-05 21:15:29 +02:00 · 9e19378903
parent 08fbc60df2
commit 9e19378903
1 changed files with 39 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -5,11 +5,47 @@
 * Each subdirectory is a namespace
 * `_apps` is the meta directory for Argo CD apps

-## Usage
+## Secrets

-### Argo CD
+Secrets are encrypted using [SOPS](https://github.com/mozilla/sops) and [age](https://github.com/FiloSottile/age).
+Argo CD uses [KSOPS](https://github.com/viaduct-ai/kustomize-sops) and [kustomize](https://github.com/kubernetes-sigs/kustomize/).

-#### Access
+Public key: `age1dfk8euu7afvw7ge5l2qek45z23hdq5anjd56cy4d7kcsf0e0e5pqfjylx8`
+
+The installation and configuration happens in a kustomize patch in `argocd/`.
+
+A good helper to work with SOPS encrypted secrets is [vscode-sops](https://github.com/signageos/vscode-sops).
+
+The `age` key needs to be stored at `$HOME/.config/sops/age/keys.txt`
+
+
+### Usage
+
+Create a normal secret with a `.sops.yaml` file ending. Encrypt it with:
+
+```
+sops --encrypt --in-place secret.sops.yaml
+```
+
+Create a kustomize configuration to generate the secret:
+
+secret-generator.yaml
+```yaml
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: secret-generator
+files:
+  - ./secret.sops.yaml
+```
+
+kustomization.yaml
+```yaml
+generators:
+  - ./secret-generator.yaml
+```
+
+## Argo CD

 Either

@ -20,12 +56,6 @@ or
 `kubectl port-forward svc/argocd-server -n argocd 8080:443` and
 then https://localhost:8080/

-#### CLI
-
-* `argocd login argocd-server`
-* `argocd app list`
-* `argocd app sync <name>`
-
 ## Bootstrap GitOps

 ```