From 323a9e1fe3f9fc4ea28d334e46f391706f80d43e Mon Sep 17 00:00:00 2001 From: Oleksandr Berezovskyi Date: Tue, 10 Feb 2026 13:09:02 +0200 Subject: [PATCH] feat(k8s): add SOPS + AGE data encryption --- .gitignore | 1 + kubernetes/dev/.sops.yaml | 4 ++++ kubernetes/flux-system/gotk-sync.yaml | 4 ++++ kubernetes/flux-system/sops-age-secret.yaml.example | 9 +++++++++ 4 files changed, 18 insertions(+) create mode 100644 kubernetes/dev/.sops.yaml create mode 100644 kubernetes/flux-system/sops-age-secret.yaml.example diff --git a/.gitignore b/.gitignore index 234ab9a..da426b7 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ terraform.tfstate terraform.tfstate.backup *.tfvars +sops-age-secret.yaml.example diff --git a/kubernetes/dev/.sops.yaml b/kubernetes/dev/.sops.yaml new file mode 100644 index 0000000..abb6258 --- /dev/null +++ b/kubernetes/dev/.sops.yaml @@ -0,0 +1,4 @@ +creation_rules: + - path_regex: .*\.sops\.yaml + encrypted_regex: "^(data|stringData)$" + age: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc diff --git a/kubernetes/flux-system/gotk-sync.yaml b/kubernetes/flux-system/gotk-sync.yaml index 015ee7c..cacceb5 100644 --- a/kubernetes/flux-system/gotk-sync.yaml +++ b/kubernetes/flux-system/gotk-sync.yaml @@ -25,3 +25,7 @@ spec: sourceRef: kind: GitRepository name: flux-system + decryption: + provider: sops + secretRef: + name: sops-age diff --git a/kubernetes/flux-system/sops-age-secret.yaml.example b/kubernetes/flux-system/sops-age-secret.yaml.example new file mode 100644 index 0000000..8cd85f0 --- /dev/null +++ b/kubernetes/flux-system/sops-age-secret.yaml.example @@ -0,0 +1,9 @@ +# Manual step: create this secret before Flux can decrypt SOPS files +# kubectl create secret generic sops-age --namespace=flux-system --from-file=age.agekey= +apiVersion: v1 +kind: Secret +metadata: + name: sops-age + namespace: flux-system +stringData: + age.agekey: AGE-SECRET-KEY-XXXXXXXXXXXXXXXXXXXXX