This onboarding guide will help you set up your application’s secrets in a way that will make them consumable by our ArgoCD deployments, while not compromising the resource confidentiality.
- Please install GPG and SOPS
- Have ready your own/team-owned secret GPG key that you want to access the encrypted data with
0508677DD04952D06A943D5B4DC4116D360E3276 GPG key:
gpg --keyserver keys.gnupg.net --recv 0508677DD04952D06A943D5B4DC4116D360E3276
Please create a
.sops.yaml file within your application manifests repository with the following content:
creation_rules: - encrypted_regex: "^(data|stringData)$" pgp: "0508677DD04952D06A943D5B4DC4116D360E3276, YOUR_TEAM_GPG_KEY_FIGERPRINT"
This creation rule specifies:
encrypted_regexinstructs SOPS to (by default) encrypt only the
stringDataproperties of resources
pgpspecifies which GPG keys to be used for the encryption. Multiple key fingerprints can be specified here separated by a comma. Each of the private GPG key holders to fingerprints specified in this list will be able to decrypt and reencrypt the resource.
For more details on the SOPS configuration, please consult the SOPS documentation](https://github.com/mozilla/sops).
To encrypt a resource, run the
sops --encrypt/-e command:
sops -e path/to/resource.yaml > path/to/resource.enc.yaml
Please make sure the encrypted resource includes the
0508677DD04952D06A943D5B4DC4116D360E3276 GPG key, otherwise our ArgoCD won’t be able to decrypt and apply the resource.
grep "fp: " path/to/resource.enc.yaml fp: 0508677DD04952D06A943D5B4DC4116D360E3276 fp: YOUR_TEAM_GPG_KEY_FIGERPRINT
If you hold one of the GPG keys needed for the decryption, SOPS CLI allows you to also update the resource. Be advised: You need to have public keys to all the used GPG keys in your keyring otherwise the encryption after your changes won’t be successful. Running the following command, SOPS decrypts the resource and opens it in your default editor. The resource will be reencrypted when the file is save and editor closed:
Based on the toolkit you use to structure your manifests with, please follow these guides: