This documentation outlines a step-by-step guide for managing secrets in a production environment utilizing fluxcd/flux2-multi-tenancy. The focus is on securely storing and retrieving sensitive information required for application deployment.

Prerequisites

Before managing secrets, ensure the following tools are installed:

• GNU Privacy Guard (GPG)
• SOPS CLI

Install them using Homebrew:

brew install gnupg sops

Step 1: Generate and Store Your GPG Key

1. Generate a GPG Key
   Create a GPG key without a passphrase, which will be used for encrypting and decrypting secrets. Retrieve the GPG key ID for future use:

   gpg --full-generate-key
   

2. List GPG Secret Keys
   Verify that your GPG key has been created successfully:

   gpg --list-secret-keys
   

   An example output could look like this:

   sec   rsa3072 2020-09-06 [SC]
   1F3D1CED2F865F5E59CA564553241F147E7C5FA4
   

3. Create a Kubernetes Secret
   Export the GPG private key to a Kubernetes secret in the flux-system namespace. This will allow SOPS to utilize the GPG key for secret decryption:

   gpg --export-secret-keys \
   --armor 1F3D1CED2F865F5E59CA564553241F147E7C5FA4 |
   kubectl create secret generic sops-gpg \
   --namespace=flux-system \
   --from-file=sops.asc=/dev/stdin
   

It is crucial to store the GPG private key securely for disaster recovery. Public keys can be shared with teams who need encryption capabilities on production secrets.

Step 2: Create Secrets for Application Deployment

Secrets such as credentials for accessing external systems should be created and encrypted before being committed to the Git repository. Here’s how to create a Kubernetes secret with basic auth credentials for GitHub:

flux -n apps create secret git dev-team-auth \
--url=https://github.com/ \
--username=$GITHUB_USERNAME \
--password=$GITHUB_TOKEN \
--export > ./tenants/base/dev-team/auth.yaml

Ensure that the GitHub token used has read-only access to the required repository.

Step 3: Configure Repository Access with SSH

If you need to manage access using SSH keys, generate and store these in a similar manner:

1. Create and Export SSH Key
   Create the secret containing the SSH and known host keys:

   flux -n apps create secret git dev-team-auth \
   --export > ./tenants/base/dev-team/auth.yaml
   

2. Retrieve and Add SSH Public Key
   Extract the SSH public key and add it as a read-only deploy key to the repository:

   yq eval 'data."identity.pub"' git-auth.yaml | base64 --decode
   

Step 4: Encryption of Secrets with SOPS

Using SOPS, encrypt the secrets before committing them to the repo. The following provides an example of how to encrypt a file:

1. Encrypt a Secrets File

   Assuming you have a secrets.yaml file:

   sops -e secrets.yaml > secrets.enc.yaml
   

   This file contains your secrets and will now be securely stored within your Git repository.

Step 5: Decrypting Secrets for Usage

When deploying, you will likely need to decrypt your secrets. Here’s how to do that using SOPS:

1. Decrypt Using GPG

   For example, to decrypt the previously encrypted secrets.enc.yaml:

   sops -d secrets.enc.yaml > secrets.yaml
   

The decrypted file can now be used for deployment purposes.

Conclusion

Following the steps outlined above, Production Secrets can be managed securely using fluxcd/flux2-multi-tenancy along with SOPS and GPG. This approach ensures that sensitive information remains protected while allowing seamless integration into Kubernetes workflows.

For more specific operations or configurations, refer to the project’s documentation or source files as needed.