Secrets encryption using SOPS
Secrets in the ska-ds-psi-infrastructure repository are encrypted using SOPS.
Both Ansible and FluxCD have built-in support to consume SOPS-encrypted secrets,
which allows us to keep secret and non-secret configuration in sync.
Adding or updating a SOPS-encrypted file
To add or update a SOPS-encrypted file, use the following command:
sops edit path/to/file.sops.yml
This will open a plain-text version of the file in your default terminal editor. After writing the changes and exiting the editor, SOPS will encrypt the file automatically.
Note
The repository is configured to require all encrypted files to have the .sops.yml extension!
About Kubernetes Secrets
When working with Kubernetes Secrets, the plain-text file will still contain Base64-encoded values. While editing an existing file, make sure that you correctly encode the values using:
echo -n "myvalue" | base64
When creating a new secret, you can use the --dry-run option in kubectl to automate the creation of the manifest,
which also handles the encoding for you:
kubectl -n <namespace> create secret generic <name> \
--from-literal=<key1>=<value1> \
--from-literal=<key2>=<value2> \
--dry-run=client \
-o yaml > path/to/secret.sops.yml
After that, you can manually encrypt it with SOPS using:
sops --encrypt --in-place path/to/secret.sops.yml
Adding a new PGP key
To add a new PGP key to the existing chain, do the following:
Import the public key on your local machine using
gpg --importAdd the fingerprint of the new PGP key to
.sops.yamlUpdate the SOPS-encrypted files using
make update-keysStore a copy of the public key in
resources/keys/pgpso that other team members can import it after the changes are merged