From 276f43fdebbeccaf65f52f5e0ea9758589e6785e Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Fri, 19 Mar 2021 12:01:01 +0200 Subject: [PATCH 1/3] Add AWS IAM role binding example to SOPS guide Signed-off-by: Stefan Prodan --- docs/guides/mozilla-sops.md | 48 ++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 9 deletions(-) diff --git a/docs/guides/mozilla-sops.md b/docs/guides/mozilla-sops.md index 7d2f6499..49e23556 100644 --- a/docs/guides/mozilla-sops.md +++ b/docs/guides/mozilla-sops.md @@ -38,7 +38,8 @@ EOF ``` The above configuration creates an rsa4096 key that does not expire. -For a full list of options to consider for your environment, see [Unattended GPG key generation](https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html). +For a full list of options to consider for your environment, see +[Unattended GPG key generation](https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html). Retrieve the GPG key fingerprint (second row of the sec column): @@ -124,7 +125,8 @@ gpg --import ./clusters/cluster0/.sops.pub.asc ## Configure the Git directory for encryption -Write a [SOPS config file](https://github.com/mozilla/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files) to the specific cluster or namespace directory used +Write a [SOPS config file](https://github.com/mozilla/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files) +to the specific cluster or namespace directory used to store encrypted objects with this particular GPG key's fingerprint. ```yaml @@ -148,7 +150,8 @@ You may wish to add other fields if you are encrypting other types of Objects. Note that you should encrypt only the `data` or `stringData` section. Encrypting the Kubernetes secret metadata, kind or apiVersion is not supported by kustomize-controller. -Ignore all `.sops.yaml` files in a [`.sourceignore`](../components/source/gitrepositories#excluding-files) file at the root of your repo. +Ignore all `.sops.yaml` files in a [`.sourceignore`](../components/source/gitrepositories#excluding-files) +file at the root of your repo. ```sh touch .sourceignore @@ -178,7 +181,8 @@ sops --encrypt --in-place basic-auth.yaml You can now commit the encrypted secret to your Git repository. !!! hint - Note that you shouldn't apply the encrypted secrets onto the cluster with kubectl. SOPS encrypted secrets are designed to be consumed by kustomize-controller. + Note that you shouldn't apply the encrypted secrets onto the cluster with kubectl. + SOPS encrypted secrets are designed to be consumed by kustomize-controller. ### Using various cloud providers @@ -190,7 +194,13 @@ kustomize-controller to be able to fetch keys from KMS. #### AWS -IAM Role example: +Enabled the [IAM OIDC provider](https://eksctl.io/usage/iamserviceaccounts/) on your EKS cluster: + +```sh +eksctl utils associate-iam-oidc-provider --cluster= +``` + +Create an IAM Role with access to AWS KMS e.g.: ```json { @@ -211,6 +221,23 @@ IAM Role example: } ``` +Bind the IAM role to the `kustomize-controller` service account: + +```sh +eksctl create iamserviceaccount \ +--override-existing-serviceaccounts \ +--name=kustomize-controller \ +--namespace=flux-system \ +--attach-policy-arn= \ +--cluster= +``` + +Restart kustomize-controller for the binding to take effect: + +```sh +kubectl -n flux-system rollout restart deployment/kustomize-controller +``` + #### Azure When using Azure Key Vault you need to authenticate kustomize-controller either with [add-pod-identity](../use-cases/azure.md#aad-pod-identity) @@ -276,7 +303,8 @@ spec: value: msi ``` -Alternatively, if using a Service Principal stored in a K8s Secret, patch the Pod's envFrom to reference the `AZURE_TENANT_ID`/`AZURE_CLIENT_ID`/`AZURE_CLIENT_SECRET` +Alternatively, if using a Service Principal stored in a K8s Secret, patch the Pod's envFrom +to reference the `AZURE_TENANT_ID`/`AZURE_CLIENT_ID`/`AZURE_CLIENT_SECRET` fields from your Secret. ```yaml @@ -295,10 +323,12 @@ spec: name: sops-akv-decryptor-service-principal ``` -At this point, kustomize-controller is now authorized to decrypt values in SOPS encrypted files from your Sources via the related Key Vault. +At this point, kustomize-controller is now authorized to decrypt values in +SOPS encrypted files from your Sources via the related Key Vault. -See Mozilla's guide to [Encrypting Using Azure Key Vault](https://github.com/mozilla/sops#encrypting-using-azure-key-vault) to get started -committing encrypted files to your Git Repository or other Sources. +See Mozilla's guide to +[Encrypting Using Azure Key Vault](https://github.com/mozilla/sops#encrypting-using-azure-key-vault) +to get started committing encrypted files to your Git Repository or other Sources. #### Google Cloud From bb9f476be2ad47f2daaaa9562c0b2be36d72b8e4 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Fri, 19 Mar 2021 12:01:33 +0200 Subject: [PATCH 2/3] Fix typo in image automation guide Signed-off-by: Stefan Prodan --- docs/guides/image-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/image-update.md b/docs/guides/image-update.md index bd8cffff..64ce95b8 100644 --- a/docs/guides/image-update.md +++ b/docs/guides/image-update.md @@ -425,7 +425,7 @@ metadata: name: flux-system spec: commit: - messsageTemplate: | + messageTemplate: | Automated image update Automation name: {{ .AutomationObject }} From 968f249562b053e52eb9c915cca739a340b092a3 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Fri, 19 Mar 2021 12:02:09 +0200 Subject: [PATCH 3/3] Move GOTK diagram to docs/files Signed-off-by: Stefan Prodan --- README.md | 2 +- docs/{diagrams => _files}/gitops-toolkit.png | Bin docs/index.md | 2 +- docs/internal/release.md | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename docs/{diagrams => _files}/gitops-toolkit.png (100%) diff --git a/README.md b/README.md index 9b04086d..a2abc60b 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources, which can be created and updated by a cluster user, or by other automation tooling. -![overview](docs/diagrams/gitops-toolkit.png) +![overview](docs/_files/gitops-toolkit.png) You can use the toolkit to extend Flux, or to build your own systems for continuous delivery -- see [the developer diff --git a/docs/diagrams/gitops-toolkit.png b/docs/_files/gitops-toolkit.png similarity index 100% rename from docs/diagrams/gitops-toolkit.png rename to docs/_files/gitops-toolkit.png diff --git a/docs/index.md b/docs/index.md index f4921f80..2f18bd4d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -44,7 +44,7 @@ The `flux` command-line tool is a convenient way to bootstrap the system in a cluster, and to access the custom resources that make up the API. -![overview](diagrams/gitops-toolkit.png) +![overview](_files/gitops-toolkit.png) ## Where do I start? diff --git a/docs/internal/release.md b/docs/internal/release.md index 0910a181..6f204703 100644 --- a/docs/internal/release.md +++ b/docs/internal/release.md @@ -24,7 +24,7 @@ Repositories subject to semver releases: - dependencies: `github.com/fluxcd/source-controller/api`, `github.com/fluxcd/image-reflector-controller/api`, `github.com/fluxcd/pkg/*` 1. [fluxcd/notification-controller](https://github.com/fluxcd/notification-controller) - modules: `api` - - dependencies: `github.com/fluxcd/source-controller/api`, `github.com/fluxcd/pkg/*` + - dependencies: `github.com/fluxcd/pkg/*` 1. [fluxcd/flux2](https://github.com/fluxcd/flux2) - modules: `manifestgen` - dependencies: `github.com/fluxcd/source-controller/api`, `github.com/fluxcd/kustomize-controller/api`, `github.com/fluxcd/helm-controller/api`, `github.com/fluxcd/image-reflector-controller/api`, `github.com/fluxcd/image-automation-controller/api`, `github.com/fluxcd/notification-controller/api`, `github.com/fluxcd/pkg/*`