|
|
|
@ -102,10 +102,12 @@ Note that the `sops-gpg` can contain more than one key, sops will try to decrypt
|
|
|
|
secrets by iterating over all the private keys until it finds one that works.
|
|
|
|
secrets by iterating over all the private keys until it finds one that works.
|
|
|
|
|
|
|
|
|
|
|
|
!!! hint KMS
|
|
|
|
!!! hint KMS
|
|
|
|
When using AWS/GCP KMS or Azure Key Vault, you'll have to bind an IAM Role
|
|
|
|
When using AWS/GCP KMS, you'll have to bind an IAM Role
|
|
|
|
with read access to the KMS keys to the `default` service account of the
|
|
|
|
with read access to the KMS keys to the `default` service account of the
|
|
|
|
`flux-system` namespace for kustomize-controller to be able to fetch
|
|
|
|
`flux-system` namespace for kustomize-controller to be able to fetch
|
|
|
|
keys from KMS.
|
|
|
|
keys from KMS. When using Azure Key Vault you need to authenticate the kustomize controller either by passing
|
|
|
|
|
|
|
|
[Service Principal credentials as environment variables](https://github.com/mozilla/sops#encrypting-using-azure-key-vault)
|
|
|
|
|
|
|
|
or with [add-pod-identity](https://github.com/Azure/aad-pod-identity).
|
|
|
|
|
|
|
|
|
|
|
|
## GitOps workflow
|
|
|
|
## GitOps workflow
|
|
|
|
|
|
|
|
|
|
|
|
|
Philip Laine
4 years ago