Update Ansible configuration to integrate SOPS for managing secrets. Enhance README.md with SOPS usage instructions and prerequisites. Remove External Secrets Operator references and related configurations from the bootstrap process, streamlining the deployment. Adjust playbooks and roles to apply SOPS-encrypted secrets automatically, improving security and clarity in secret management.
This commit is contained in:
Nikholas Pcenicni
38
clusters/noble/secrets/README.md
Normal file
38
clusters/noble/secrets/README.md
Normal file
@@ -0,0 +1,38 @@
|
||||
# SOPS-encrypted cluster secrets (noble)
|
||||
|
||||
Secrets that belong in git are stored here as **Mozilla SOPS** files encrypted with [age](https://github.com/FiloSottile/age). The matching **private** key lives in **`age-key.txt`** at the repository root (gitignored — create with `age-keygen -o age-key.txt` and add the public key to **`.sops.yaml`** if you rotate keys).
|
||||
|
||||
**Migrating from an older cluster** that ran **Vault**, **Sealed Secrets**, or **External Secrets Operator:** uninstall those Helm releases (`helm uninstall vault -n vault`, etc.), delete their namespaces if empty, and export any secrets you still need into plain **`Secret`** YAML here, then encrypt with **`sops`** before committing.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- [sops](https://github.com/getsops/sops) and **age** on the machine that encrypts or applies secrets.
|
||||
|
||||
## Edit or create a Secret
|
||||
|
||||
```bash
|
||||
export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt
|
||||
|
||||
# Create a new file from a template, then encrypt:
|
||||
sops clusters/noble/secrets/example.secret.yaml
|
||||
|
||||
# Or edit an existing encrypted file (opens decrypted in $EDITOR):
|
||||
sops clusters/noble/secrets/newt-pangolin-auth.secret.yaml
|
||||
```
|
||||
|
||||
## Apply to the cluster
|
||||
|
||||
```bash
|
||||
export KUBECONFIG=/absolute/path/to/home-server/talos/kubeconfig
|
||||
export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt
|
||||
|
||||
sops -d clusters/noble/secrets/newt-pangolin-auth.secret.yaml | kubectl apply -f -
|
||||
```
|
||||
|
||||
**Ansible** (`noble.yml`) runs the same decrypt-and-apply step for every `*.yaml` in this directory when **`age-key.txt`** exists and **`noble_apply_sops_secrets`** is true (see `ansible/group_vars/all.yml`).
|
||||
|
||||
## Files
|
||||
|
||||
| File | Purpose |
|
||||
|------|---------|
|
||||
| `newt-pangolin-auth.secret.yaml` | Pangolin tunnel credentials for [Newt](../../bootstrap/newt/README.md) (`PANGOLIN_ENDPOINT`, `NEWT_ID`, `NEWT_SECRET`). Replace placeholders and re-encrypt before relying on them. |
|
||||
Reference in New Issue
Block a user