1.8 KiB
1.8 KiB
SOPS für FluxCD einrichten
SOPS & GPG installieren
sudo dnf install gnupg
Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.10.2/sops-v3.10.2.linux.amd64
Move the binary in to your PATH
mv sops-v3.10.2.linux.amd64 /usr/local/bin/sops
Make the binary executable
chmod +x /usr/local/bin/sops
GPG Key generieren
export KEY_NAME="k3s.homelab"
export KEY_COMMENT="flux secrets"
gpg --batch --full-generate-key <<EOF
%no-protection
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Expire-Date: 0
Name-Comment: ${KEY_COMMENT}
Name-Real: ${KEY_NAME}
EOF
GPG Fingerprint anzeigen
gpg --list-secret-keys "${KEY_NAME}"
export KEY_FP=<DEIN_FINGERPRINT>
GPG Key als Kubernetes Secret speichern
gpg --export-secret-keys --armor "${KEY_FP}" | \
kubectl create secret generic sops-gpg \
--namespace=flux-system \
--from-file=sops.asc=/dev/stdin
.sops.yaml im Repo anlegen
cat <<EOF > .sops.yaml
creation_rules:
- encrypted_regex: '^(data|stringData)$'
path_regex: \.yaml$
pgp: <DEIN_FINGERPRINT>
EOF
Hetzner DNS API Token in Secret-Datei eintragen
cat <<EOF > infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: hetzner-dns-api-token
namespace: cert-manager
type: Opaque
stringData:
token: "<HIER_DEIN_HETZNER_DNS_API_TOKEN_EINFÜGEN>"
EOF
Mit SOPS verschlüsseln
sops -e -i infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
Ins Git-Repo legen und pushen
git add infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
git commit -m "Add Hetzner DNS API token secret (encrypted with SOPS)"
git push origin main