feat(k8s): add SOPS + AGE data encryption

2026-02-10 13:09:02 +02:00
parent c0cf62cc35
commit 323a9e1fe3
4 changed files with 18 additions and 0 deletions
--- a/kubernetes/dev/.sops.yaml
+++ b/kubernetes/dev/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+   - path_regex: .*\.sops\.yaml
+     encrypted_regex: "^(data|stringData)$"
+     age: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
--- a/kubernetes/flux-system/gotk-sync.yaml
+++ b/kubernetes/flux-system/gotk-sync.yaml
@@ -25,3 +25,7 @@ spec:
  sourceRef:
    kind: GitRepository
    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
--- a/kubernetes/flux-system/sops-age-secret.yaml.example
+++ b/kubernetes/flux-system/sops-age-secret.yaml.example
@@ -0,0 +1,9 @@
+# Manual step: create this secret before Flux can decrypt SOPS files
+# kubectl create secret generic sops-age --namespace=flux-system --from-file=age.agekey=<path-to-age.key>
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sops-age
+  namespace: flux-system
+stringData:
+  age.agekey: AGE-SECRET-KEY-XXXXXXXXXXXXXXXXXXXXX