Specification:
apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
kind: Kustomization
metadata:
name: backend
spec:
interval: 5m
path: "./overlays/production/"
prune: true
sourceRef:
kind: GitRepository
name: webapp
decrypt:
engine: sops
serviceAccountName: kms-reader
secretRef:
name: pgp-keys
The Kubernetes secrets used in ./overlays/production/
are encrypted with:
sops --encrypt --encrypted-regex '^(data|stringData)$' --in-place my-secret.yaml
kustomize-controller
- create decrypt pod
sops-decrypt-<kustomization-name>-<artifact-short-sha>
- wait for pod to become ready
apiVersion: v1
kind: Service
metadata:
name: sops-decrypt
spec:
clusterIP: None
selector:
app: sops-decrypt
ports:
- protocol: TCP
port: 8080
targetPort: 8080
---
apiVersion: v1
kind: Pod
metadata:
name: sops-decrypt-backend-363a6a8
namespace: gitops-system
labels:
app: sops-decrypt
ownerReferences:
- apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: Kustomization
name: backend
spec:
serviceAccountName: kms-reader
restartPolicy: Never
containers:
- name: sops-decrypt
image: docker.io/fluxcd/sops-decrypt:v0.0.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /heathz
port: http
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
ports:
- containerPort: 8080
name: http
protocol: TCP
resources:
limits:
cpu: "1"
memory: 256Mi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: temp
- mountPath: /pgp-keys
name: pgp-keys
readOnly: true
volumes:
- emptyDir: {}
name: temp
- name: pgp-keys
secret:
defaultMode: 420
secretName: pgp-keys
nodeSelector:
kubernetes.io/arch: amd64
kubernetes.io/os: linux
sops-decrypt
- import pgp keys from
/pgp-keys
- listen for HTTP POST request on port 8080
kustomize-controller
- run kustomize build
- extract sops encrypted manifests to a yaml file
- post the yaml file with the encrypted manifests to the sops-decrypt HTTP endpoint
- wait for response
sops-decrypt
- receive the yaml file with the encrypted manifests
- split the manifests into individual yaml files
- execute sops decrypt for each file
- merge the decrypted manifests into a single yaml
- respond to the kustomize-controller request with the decrypted manifests
kustomize-controller
- receive the decrypted manifests
- delete pod
- replace the encrypted manifests with the decrypted ones in the kustomize build output
- continue with reconciliation