Secret management for applications
Contents
Secret management for applications#
This onboarding guide will help you set up your application’s secrets in a way that will make them consumable by our ArgoCD deployments, while not compromising the resource confidentiality.
Prerequisites#
Install GPG and SOPS
Have ready your own/team-owned secret GPG key that you want to access the encrypted data with
Or use the toolbox.
Obtain OperateFirst GPG public key#
Fetch 0508677DD04952D06A943D5B4DC4116D360E3276
GPG key:
gpg --keyserver keys.openpgp.org --recv 0508677DD04952D06A943D5B4DC4116D360E3276
Create sops file#
Create a .sops.yaml
file within your application manifests repository with the following content:
creation_rules:
- encrypted_regex: "^(data|stringData)$"
pgp: "0508677DD04952D06A943D5B4DC4116D360E3276, YOUR_TEAM_GPG_KEY_FIGERPRINT"
This creation rule specifies:
encrypted_regex
instructs SOPS to (by default) encrypt only thedata
orstringData
properties of resourcespgp
specifies which GPG keys to be used for the encryption. Multiple key fingerprints can be specified here separated by a comma. Each of the private GPG key holders to fingerprints specified in this list will be able to decrypt and re-encrypt the resource.
For more details on the SOPS configuration, please consult the SOPS documentation.
Encrypting a resource#
To encrypt a resource, run the sops --encrypt/-e
command:
sops -e path/to/resource.yaml > path/to/resource.enc.yaml
Make sure the encrypted resource includes the 0508677DD04952D06A943D5B4DC4116D360E3276
GPG key, otherwise our ArgoCD won’t be able to decrypt and apply the resource.
grep "fp: " path/to/resource.enc.yaml
fp: 0508677DD04952D06A943D5B4DC4116D360E3276
fp: YOUR_TEAM_GPG_KEY_FIGERPRINT
Updating a resource#
If you hold one of the GPG keys needed for the decryption, SOPS CLI allows you to also update the resource. Be advised: You need to have public keys to all the used GPG keys in your keyring otherwise the encryption after your changes won’t be successful. Running the following command, SOPS decrypts the resource and opens it in your default editor. The resource will be reencrypted when the file is save and editor closed:
sops path/to/resource.enc.yaml
Enabling ArgoCD for decryption#
Based on the toolkit you use to structure your manifests with, please follow these guides:
For Kustomize manifests, please use
ksops
. Please follow the upstream documentation for ksops.For Helm manifests, please use
helm-secrets
. Please follow the upstream documentation for helm-secrets.