From 68c9553c47e69e09695fdd9d98b4604efaa630a7 Mon Sep 17 00:00:00 2001 From: Cloufish <32965886+Cloufish@users.noreply.github.com> Date: Sun, 13 Jul 2025 20:08:58 +0200 Subject: [PATCH 1/2] Update mozilla-sops.md Signed-off-by: Cloufish <32965886+Cloufish@users.noreply.github.com> --- content/en/flux/guides/mozilla-sops.md | 71 ++++++++++++++------------ 1 file changed, 37 insertions(+), 34 deletions(-) diff --git a/content/en/flux/guides/mozilla-sops.md b/content/en/flux/guides/mozilla-sops.md index 9fec48950..32e16b277 100644 --- a/content/en/flux/guides/mozilla-sops.md +++ b/content/en/flux/guides/mozilla-sops.md @@ -15,13 +15,48 @@ toolkit controllers installed on it. Please see the [get started guide](/flux/get-started/index.md) or the [installation guide](/flux/installation/). -Install [gnupg](https://www.gnupg.org/) and [SOPS](https://github.com/mozilla/sops): +## Encrypting secrets using age +Install [age](https://github.com/FiloSottile/age) and [SOPS](https://github.com/mozilla/sops): ```sh -brew install gnupg sops +brew install age sops +``` +[age](https://github.com/FiloSottile/age) is a simple, modern alternative to OpenPGP. It's recommended to use age over OpenPGP, if possible. + +Encrypting with age follows the same workflow than PGP. + +Generate an age key with [age](https://age-encryption.org) using `age-keygen`: + +```console +$ age-keygen -o age.agekey +Public key: age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg ``` +Create a secret with the age private key, +the key name must end with `.agekey` to be detected as an age key: + +```sh +cat age.agekey | +kubectl create secret generic sops-age \ +--namespace=flux-system \ +--from-file=age.agekey=/dev/stdin +``` + +Use `sops` and the age public key to encrypt a Kubernetes secret: + +```sh +sops --age=age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg \ +--encrypt --encrypted-regex '^(data|stringData)$' --in-place basic-auth.yaml +``` + +And finally set the decryption secret in the Flux Kustomization to `sops-age`. + ## Generate a GPG key +Install [gnupg](https://www.gnupg.org/) and [SOPS](https://github.com/mozilla/sops): + +```sh +brew install gnupg sops +``` Generate a GPG/OpenPGP key with no passphrase (`%no-protection`): @@ -181,38 +216,6 @@ You can now commit the encrypted secret to your Git repository. Note that you shouldn't apply the encrypted secrets onto the cluster with kubectl. SOPS encrypted secrets are designed to be consumed by kustomize-controller. {{% /alert %}} -## Encrypting secrets using age - -[age](https://github.com/FiloSottile/age) is a simple, modern alternative to OpenPGP. It's recommended to use age over OpenPGP, if possible. - -Encrypting with age follows the same workflow than PGP. - -Generate an age key with [age](https://age-encryption.org) using `age-keygen`: - -```console -$ age-keygen -o age.agekey -Public key: age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg -``` - -Create a secret with the age private key, -the key name must end with `.agekey` to be detected as an age key: - -```sh -cat age.agekey | -kubectl create secret generic sops-age \ ---namespace=flux-system \ ---from-file=age.agekey=/dev/stdin -``` - -Use `sops` and the age public key to encrypt a Kubernetes secret: - -```sh -sops --age=age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg \ ---encrypt --encrypted-regex '^(data|stringData)$' --in-place basic-auth.yaml -``` - -And finally set the decryption secret in the Flux Kustomization to `sops-age`. - ## Encrypting secrets using HashiCorp Vault [HashiCorp Vault](https://www.vaultproject.io/docs/what-is-vault) is an identity-based secrets and encryption management system. From ee405dbf23b985c9ffd27ed7a2e7bc5b25935a39 Mon Sep 17 00:00:00 2001 From: Cloufish <32965886+Cloufish@users.noreply.github.com> Date: Sun, 13 Jul 2025 20:15:23 +0200 Subject: [PATCH 2/2] Update mozilla-sops.md Signed-off-by: Cloufish <32965886+Cloufish@users.noreply.github.com> --- content/en/flux/guides/mozilla-sops.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/content/en/flux/guides/mozilla-sops.md b/content/en/flux/guides/mozilla-sops.md index 32e16b277..427c871af 100644 --- a/content/en/flux/guides/mozilla-sops.md +++ b/content/en/flux/guides/mozilla-sops.md @@ -51,6 +51,20 @@ sops --age=age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg \ And finally set the decryption secret in the Flux Kustomization to `sops-age`. +```yml +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps +spec: + # ...omitted for brevity + decryption: + provider: sops + secretRef: + name: sops-age +``` + + ## Generate a GPG key Install [gnupg](https://www.gnupg.org/) and [SOPS](https://github.com/mozilla/sops):