From: Todd Malsbary Date: Thu, 13 Jan 2022 22:48:56 +0000 (-0800) Subject: Add SOPS support to cluster chart X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=41cb4be441a1e391a6547becbdcc1141b912a236;p=icn.git Add SOPS support to cluster chart Signed-off-by: Todd Malsbary Change-Id: Ie31e0a4031ec84f0690ea003319c44fb08801ea0 --- diff --git a/deploy/cluster/cluster.sh b/deploy/cluster/cluster.sh index 7bbc46f..85fa2f1 100755 --- a/deploy/cluster/cluster.sh +++ b/deploy/cluster/cluster.sh @@ -30,6 +30,17 @@ EOF # The name "sync" must be sorted after "flux-system" to ensure # Flux CRDs are instantiated first cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml +{{- if .Values.flux.decryptionSecret }} +--- +apiVersion: v1 +type: Opaque +kind: Secret +metadata: + name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg + namespace: flux-system +data: + sops.asc: {{ .Values.flux.decryptionSecret | b64enc }} +{{- end }} --- apiVersion: source.toolkit.fluxcd.io/v1beta1 kind: GitRepository @@ -56,6 +67,12 @@ spec: sourceRef: kind: GitRepository name: {{ .Values.flux.repositoryName }} +{{- if .Values.flux.decryptionSecret }} + decryption: + provider: sops + secretRef: + name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg +{{- end }} EOF cat <${SCRIPTDIR}/templates/flux-addon.yaml {{- if .Values.flux }} diff --git a/deploy/cluster/templates/flux-addon.yaml b/deploy/cluster/templates/flux-addon.yaml index 81322e2..8702920 100644 --- a/deploy/cluster/templates/flux-addon.yaml +++ b/deploy/cluster/templates/flux-addon.yaml @@ -4117,6 +4117,17 @@ data: - Ingress --- sync.yaml: | + {{- if .Values.flux.decryptionSecret }} + --- + apiVersion: v1 + type: Opaque + kind: Secret + metadata: + name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg + namespace: flux-system + data: + sops.asc: {{ .Values.flux.decryptionSecret | b64enc }} + {{- end }} --- apiVersion: source.toolkit.fluxcd.io/v1beta1 kind: GitRepository @@ -4143,6 +4154,12 @@ data: sourceRef: kind: GitRepository name: {{ .Values.flux.repositoryName }} + {{- if .Values.flux.decryptionSecret }} + decryption: + provider: sops + secretRef: + name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg + {{- end }} kind: ConfigMap metadata: creationTimestamp: null diff --git a/deploy/cluster/values.yaml b/deploy/cluster/values.yaml index 499b667..5684fb1 100644 --- a/deploy/cluster/values.yaml +++ b/deploy/cluster/values.yaml @@ -74,6 +74,11 @@ flux: # path is the repository to the resources to be applied to the # cluster. path: ./deploy/site/cluster-icn + # decryptionSecret is the SOPS secret key used by Flux to decrypt + # any SOPS-encrypted data stored in the resources at path. + #decryptionSecret: | + # -----BEGIN PGP PRIVATE KEY BLOCK----- + # ... # containerRuntime may be containerd or docker. containerRuntime: containerd