Overview
The FluxCD project adheres to best practices for managing secrets in production environments. This documentation provides a step-by-step guide on how Flux2 handles secrets, ensuring that sensitive information is securely stored and managed across various contexts, including GitOps workflows.
Secret Management in Flux2
Flux2 supports different types of secrets which can be created and managed via the command line interface. These include Docker registry secrets, Git repository secrets, Helm secrets, and TLS secrets. To properly manage secrets, follow the steps below.
Creating Secrets
1. Creating Docker Registry Secrets
To create a secret for a Docker registry, you can use the following command:
package cmd
import (
"github.com/spf13/cobra"
)
func createSecretOCICmd() *cobra.Command {
cmd := &cobra.Command{
Use: "create secret",
Short: "Create a Docker registry secret",
RunE: func(cmd *cobra.Command, args []string) error {
// Logic to create OCI secret
return nil
},
}
return cmd
}
Usage:
flux create secret docker-registry my-registry \
--username=my-user \
--password=my-password \
[email protected]
This command will securely create a secret named my-registry
with your Docker credentials.
2. Creating Git Repository Secrets
For Git repository access, you can create a secret with the following command:
package cmd
import (
"github.com/spf13/cobra"
)
func createSecretGitCmd() *cobra.Command {
cmd := &cobra.Command{
Use: "create secret git",
Short: "Create a Git repository secret",
RunE: func(cmd *cobra.Command, args []string) error {
// Logic to create Git secret
return nil
},
}
return cmd
}
Usage:
flux create secret git my-git-secret \
--username=my-username \
--token=my-token
This command will create a secret named my-git-secret
that is used for authentication with your Git repository.
3. Creating Helm Secrets
For Helm charts, you can create secrets as follows:
package cmd
import (
"github.com/spf13/cobra"
)
func createSecretHelmCmd() *cobra.Command {
cmd := &cobra.Command{
Use: "create secret helm",
Short: "Create a Helm repository secret",
RunE: func(cmd *cobra.Command, args []string) error {
// Logic to create Helm secret
return nil
},
}
return cmd
}
Usage:
flux create secret helm my-helm-secret \
--username=my-username \
--password=my-password
This command securely creates a Helm secret for use with Helm repositories.
4. Creating TLS Secrets
For managing TLS certificates, utilize the following command:
package cmd
import (
"github.com/spf13/cobra"
)
func createSecretTLSCmd() *cobra.Command {
cmd := &cobra.Command{
Use: "create secret tls",
Short: "Create a TLS secret",
RunE: func(cmd *cobra.Command, args []string) error {
// Logic to create TLS secret
return nil
},
}
return cmd
}
Usage:
flux create secret tls my-tls-secret \
--cert=path/to/tls.crt \
--key=path/to/tls.key
This action creates a TLS secret named my-tls-secret
, allowing secure communication for your services.
Managing Secrets via Kustomize
Flux2 leverages Kustomize for customizing Kubernetes resources. When managing secrets, ensure that you include them in your Kustomization file:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./secrets.yaml
secretGenerator:
- name: my-secret
literals:
- username=my-username
- password=my-password
Run the following command to apply the Kustomization:
kubectl apply -k .
This will create and manage secrets according to the specifications defined in your Kustomization.
Best Practices for Secret Management
Minimal Exposure: Ensure secrets are only exposed to components that require access. Use role-based access controls (RBAC) to enforce this principle.
Rotation and Expiry: Regularly rotate secrets and set expiration dates wherever applicable to minimize the risk of potential leaks.
Use of External Secret Management: Consider integrating with tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault for additional security layers.
Conclusion
Flux2 provides a robust framework for managing production secrets through its command-line interface and integration with Kustomize. By following the outlined steps, developers can effectively secure their sensitive information while leveraging Flux2 for GitOps in their Kubernetes deployments.
Sources:
- The code is written in go.
- The functionality of creating secrets can be referenced in the code snippets provided in
cmd/flux/create_secret.go
,cmd/flux/create_secret_git.go
,cmd/flux/create_secret_oci.go
, andcmd/flux/create_secret_tls.go
.