fluxcd / flux2-multi-tenancy

Secret Encryption - fluxcd/flux2-multi-tenancy

Secret Encryption in Flux2 Multi-Tenancy

Flux2 multi-tenancy follows Kubernetes best practices for security and RBAC. It forbids cross-namespace references to sensitive data, such as Secrets and ConfigMaps. However, for sources and events, Flux allows referencing resources from other Namespaces, which is governed by each controller’s --no-cross-namespace-refs flag.

Flux provides several options for secrets management:

1. Kubernetes Secrets

Kubernetes has a built-in mechanism to store and manage secrets. They are stored in etcd either in plain-text or encrypted. They are used during flux bootstrap to store SSH Deploy Keys.

2. Secrets Decryption Operators

Secrets Decryption Operators, such as Sealed Secrets, enable secrets to be stored in ciphertext as Kubernetes resources within a Flux source. They are deployed into the cluster by Flux in their original CustomResourceDefinition (CRD) form, which is later used by its Secret Decryption Operator to decrypt those secrets and generate a Kubernetes Secret.

3. Git Repositories

Storing encrypted secrets in Git repositories enables configuration versioning to leverage the GitOps workflow. Examples of this type of operator are 1Password Operator and External Secrets Operator.

4. SOPS Encryption

SOPS does not encrypt secret metadata when used with Flux’s Kustomize Controller integration, which makes examples like this one possible.

Here is an example of creating a secret with Flux:

flux create secret flux create secret Create or update Kubernetes secrets Synopsis The create source sub-commands generate Kubernetes secrets specific to Flux. Options   -h, --help   help for secret
Options inherited from parent commands       --as string                      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
--as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--as-uid string                  UID to impersonate for the operation.
--cache-dir string               Default cache directory (default "/opt/buildhome/.kube/cache")
--certificate-authority string   Path to a cert file for the certificate authority to authenticate the Kubernetes API server

For more information, check out the Flux documentation and the Flux2 multi-tenancy guide.