Rendered manifests using github.com/mykso/myks. It's using a pre-release version of myks mykso/myks#257
Secrets are managed using sops with age and argocd-vault-plugin.
Secrets are stored in yaml files in secrets/.*\.yaml. They are encrypted using sops with age. Recipient is configured in .sops.yaml.
Editing files is simple: sops secrets/demo.yaml
Rendering kubernetes resources: argocd-vault-plugin generate rendered/envs/demo will spit out manifests with secrets.
Special syntax: "path:secrets/file.yaml#key"
apiVersion: v1
kind: Secret
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
name: argocd-secret
namespace: argocd
type: Opaque
stringData:
foo: bar
encrypted: <path:secrets/demo.yaml#myKey>Warning: sops as backend in argocd-vault-plugin does not support nested keys or versions like vault.
parent:
child: valuekind: Secret
apiVersion: v1
metadata:
name: test-secret
type: Opaque
stringData:
password: <path:example.yaml#parent | jsonPath {.child}>Manual for now using deploy.sh
#!/bin/env bash
base=rendered/envs/some-env
apps=$(ls $base)
for app in $apps; do
argocd-vault-plugin generate "$base/$app" | kapp deploy -y -a "$app" -f -
done- Generate ns resources for each app
- automate deployment
- Create own age key for each cluster and store key in cluster?