This documentation provides an in-depth overview of how to manage and store secrets in a production environment using the fluxcd/flux2-kustomize-helm-example repository. The focus will be on leveraging Kubernetes native features and Flux’s capabilities to ensure secure and efficient secret management.
Overview of Secret Management
In Kubernetes, secrets are used to manage sensitive information such as passwords, OAuth tokens, and SSH keys. The use of secrets is crucial in production environments to avoid hardcoding sensitive data into application source code or configuration files.
The fluxcd/flux2-kustomize-helm-example employs Kustomize for managing Kubernetes manifests, which allows for overlaying configuration settings while maintaining separate environments.
Directory Structure
The repository is organized into several directories:
- apps: Contains Helm releases with custom configurations per cluster.
- infrastructure: Holds common infrastructure tools.
- clusters: Contains the Flux configuration for each cluster.
The directory structure for managing secrets can be tied into the infrastructure directory.
Steps for Storing and Managing Secrets
Step 1: Create Secrets in Kubernetes
First, define your secrets using Kubernetes Secrets manifest. Example secret creation for a database credential:
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
namespace: your-namespace
data:
username: <base64_encoded_username>
password: <base64_encoded_password>
You can apply this secret to the cluster by saving it into a YAML file (e.g., db-credentials.yaml) and running:
kubectl apply -f db-credentials.yaml
Step 2: Reference Secrets in Your Application Deployment
When deploying applications with Kustomize, you can reference the secrets created. Modify your deployment YAML to use the secrets as environment variables:
apiVersion: apps/v1
kind: Deployment
metadata:
name: your-app
spec:
...
template:
spec:
containers:
- name: your-app-container
image: your-app-image
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-credentials
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
Step 3: Integrate Secrets into Kustomize Overlays
In your Kustomization.yaml, integrate the secret management by including the created secrets and exposing them when necessary. For instance, modify clusters/production/infrastructure.yaml:
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-configs
namespace: flux-system
spec:
dependsOn:
- name: infra-controllers
interval: 1h
sourceRef:
kind: GitRepository
name: flux-system
path: ./infrastructure/configs
patches:
- patch: |
- op: replace
path: /spec/acme/server
value: https://acme-v02.api.letsencrypt.org/directory
target:
kind: ClusterIssuer
name: letsencrypt
Step 4: Secure Secrets Using GitOps with Flux
When managing secrets, ensure that they are referenced in a secure manner. Leverage GitOps with Flux to track the state of your infrastructure in a Git repository, ensuring that any changes to the secrets are done through pull requests.
Step 5: Monitoring and Reconciliation
Monitor the application and secret deployments using the Flux CLI. To verify the current state of your Kustomization and secrets, run:
flux get kustomizations --watch
This command will provide real-time insights into the state of your workflows and deployment of secrets.
Step 6: Validate Secrets Management
Implement validation scripts to ensure that secrets are handled properly within CI/CD pipelines. For instance, extend the existing scripts/validate.sh to verify the presence and integrity of secrets in your manifests:
echo "INFO - Validating secrets"
kubectl get secrets --namespace your-namespace
Conclusion
By following the above steps, you can effectively manage sensitive information in a production environment utilizing the fluxcd/flux2-kustomize-helm-example. This approach both secures the sensitive data and integrates it seamlessly into your deployment workflows, maintaining a strong stance on security and compliance.
For any references used, please consult the original README.md and related files in the repository.
