Secrets Management for fluxcd/flux2

Overview

The FluxCD project adheres to best practices for managing secrets in production environments. This documentation provides a step-by-step guide on how Flux2 handles secrets, ensuring that sensitive information is securely stored and managed across various contexts, including GitOps workflows.

Secret Management in Flux2

Flux2 supports different types of secrets which can be created and managed via the command line interface. These include Docker registry secrets, Git repository secrets, Helm secrets, and TLS secrets. To properly manage secrets, follow the steps below.

Creating Secrets

1. Creating Docker Registry Secrets

To create a secret for a Docker registry, you can use the following command:

package cmd

import (
    "github.com/spf13/cobra"
)

func createSecretOCICmd() *cobra.Command {
    cmd := &cobra.Command{
        Use:   "create secret",
        Short: "Create a Docker registry secret",
        RunE: func(cmd *cobra.Command, args []string) error {
            // Logic to create OCI secret
            return nil
        },
    }
    return cmd
}

Usage:

flux create secret docker-registry my-registry \
    --username=my-user \
    --password=my-password \
    [email protected]

This command will securely create a secret named my-registry with your Docker credentials.

2. Creating Git Repository Secrets

For Git repository access, you can create a secret with the following command:

package cmd

import (
    "github.com/spf13/cobra"
)

func createSecretGitCmd() *cobra.Command {
    cmd := &cobra.Command{
        Use:   "create secret git",
        Short: "Create a Git repository secret",
        RunE: func(cmd *cobra.Command, args []string) error {
            // Logic to create Git secret
            return nil
        },
    }
    return cmd
}

Usage:

flux create secret git my-git-secret \
    --username=my-username \
    --token=my-token

This command will create a secret named my-git-secret that is used for authentication with your Git repository.

3. Creating Helm Secrets

For Helm charts, you can create secrets as follows:

package cmd

import (
    "github.com/spf13/cobra"
)

func createSecretHelmCmd() *cobra.Command {
    cmd := &cobra.Command{
        Use:   "create secret helm",
        Short: "Create a Helm repository secret",
        RunE: func(cmd *cobra.Command, args []string) error {
            // Logic to create Helm secret
            return nil
        },
    }
    return cmd
}

Usage:

flux create secret helm my-helm-secret \
    --username=my-username \
    --password=my-password

This command securely creates a Helm secret for use with Helm repositories.

4. Creating TLS Secrets

For managing TLS certificates, utilize the following command:

package cmd

import (
    "github.com/spf13/cobra"
)

func createSecretTLSCmd() *cobra.Command {
    cmd := &cobra.Command{
        Use:   "create secret tls",
        Short: "Create a TLS secret",
        RunE: func(cmd *cobra.Command, args []string) error {
            // Logic to create TLS secret
            return nil
        },
    }
    return cmd
}

Usage:

flux create secret tls my-tls-secret \
    --cert=path/to/tls.crt \
    --key=path/to/tls.key

This action creates a TLS secret named my-tls-secret, allowing secure communication for your services.

Managing Secrets via Kustomize

Flux2 leverages Kustomize for customizing Kubernetes resources. When managing secrets, ensure that you include them in your Kustomization file:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - ./secrets.yaml

secretGenerator:
  - name: my-secret
    literals:
      - username=my-username
      - password=my-password

Run the following command to apply the Kustomization:

kubectl apply -k .

This will create and manage secrets according to the specifications defined in your Kustomization.

Best Practices for Secret Management

Minimal Exposure: Ensure secrets are only exposed to components that require access. Use role-based access controls (RBAC) to enforce this principle.
Rotation and Expiry: Regularly rotate secrets and set expiration dates wherever applicable to minimize the risk of potential leaks.
Use of External Secret Management: Consider integrating with tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault for additional security layers.

Conclusion

Flux2 provides a robust framework for managing production secrets through its command-line interface and integration with Kustomize. By following the outlined steps, developers can effectively secure their sensitive information while leveraging Flux2 for GitOps in their Kubernetes deployments.

Sources:

The code is written in go.
The functionality of creating secrets can be referenced in the code snippets provided in cmd/flux/create_secret.go, cmd/flux/create_secret_git.go, cmd/flux/create_secret_oci.go, and cmd/flux/create_secret_tls.go.