/lab

Primary LanguageShell

personal pi cluster k8s manifests

Rendered manifests using github.com/mykso/myks. It's using a pre-release version of myks mykso/myks#257

Secret management

Secrets are managed using sops with age and argocd-vault-plugin.

Secrets are stored in yaml files in secrets/.*\.yaml. They are encrypted using sops with age. Recipient is configured in .sops.yaml.

Editing files is simple: sops secrets/demo.yaml

Rendering kubernetes resources: argocd-vault-plugin generate rendered/envs/demo will spit out manifests with secrets.

How are secrets configured

Special syntax: "path:secrets/file.yaml#key"

apiVersion: v1
kind: Secret
metadata:
  annotations:
    a8r.io/repository: ""
  labels:
    app.kubernetes.io/name: argocd-secret
    app.kubernetes.io/part-of: argocd
  name: argocd-secret
  namespace: argocd
type: Opaque
stringData:
  foo: bar
  encrypted: <path:secrets/demo.yaml#myKey>

Warning: sops as backend in argocd-vault-plugin does not support nested keys or versions like vault.

parent:
  child: value
kind: Secret
apiVersion: v1
metadata:
  name: test-secret
type: Opaque
stringData:
  password: <path:example.yaml#parent | jsonPath {.child}>

deployment

Manual for now using deploy.sh

#!/bin/env bash

base=rendered/envs/some-env
apps=$(ls $base)

for app in $apps; do
  argocd-vault-plugin generate "$base/$app" | kapp deploy -y -a "$app" -f -
done

Todos

  • Generate ns resources for each app
  • automate deployment
    • Create own age key for each cluster and store key in cluster?