Secret management for applications
Secret management for applications#
This onboarding guide will help you set up your application’s secrets in a way that will make them consumable by our ArgoCD deployments, while not compromising the resource confidentiality.
Install GPG and SOPS
Have ready your own/team-owned secret GPG key that you want to access the encrypted data with
Or use the toolbox.
Obtain OperateFirst GPG public key#
gpg --keyserver keys.openpgp.org --recv 0508677DD04952D06A943D5B4DC4116D360E3276
Create sops file#
.sops.yaml file within your application manifests repository with the following content:
creation_rules: - encrypted_regex: "^(data|stringData)$" pgp: "0508677DD04952D06A943D5B4DC4116D360E3276, YOUR_TEAM_GPG_KEY_FIGERPRINT"
This creation rule specifies:
encrypted_regexinstructs SOPS to (by default) encrypt only the
stringDataproperties of resources
pgpspecifies which GPG keys to be used for the encryption. Multiple key fingerprints can be specified here separated by a comma. Each of the private GPG key holders to fingerprints specified in this list will be able to decrypt and re-encrypt the resource.
For more details on the SOPS configuration, please consult the SOPS documentation.
Encrypting a resource#
To encrypt a resource, run the
sops --encrypt/-e command:
sops -e path/to/resource.yaml > path/to/resource.enc.yaml
Make sure the encrypted resource includes the
0508677DD04952D06A943D5B4DC4116D360E3276 GPG key, otherwise our ArgoCD won’t be able to decrypt and apply the resource.
grep "fp: " path/to/resource.enc.yaml fp: 0508677DD04952D06A943D5B4DC4116D360E3276 fp: YOUR_TEAM_GPG_KEY_FIGERPRINT
Updating a resource#
If you hold one of the GPG keys needed for the decryption, SOPS CLI allows you to also update the resource. Be advised: You need to have public keys to all the used GPG keys in your keyring otherwise the encryption after your changes won’t be successful. Running the following command, SOPS decrypts the resource and opens it in your default editor. The resource will be reencrypted when the file is save and editor closed:
Enabling ArgoCD for decryption#
Based on the toolkit you use to structure your manifests with, please follow these guides: