Skip to content

NimTechnology

Trình bày các công nghệ CLOUD một cách dễ hiểu.

  • Kubernetes & Container
    • Docker
    • Kubernetes
      • Ingress
    • Helm Chart
    • Isito-EnvoyFilter
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Vault
    • Longhorn – Storage
    • VictoriaMetrics
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Spinnaker
    • Jenkins
    • Harbor
    • TeamCity
    • Git
      • Bitbucket
  • Coding
    • Terraform
      • GCP – Google Cloud
      • AWS – Amazon Web Service
    • Golang
    • Laravel
    • Python
    • Jquery & JavaScript
    • Selenium
  • Log & Monitor
    • Prometheus
    • Grafana
    • ELK
      • Kibana
      • Logstash
  • BareMetal
  • Toggle search form

[ArgoCD/KSOPS/AWS] Encrypt secrets before pushing them to GitHub.

Posted on December 2, 2022December 2, 2022 By nim No Comments on [ArgoCD/KSOPS/AWS] Encrypt secrets before pushing them to GitHub.

Trước đây mình có 1 bài hướng dẫn các bạn encypt 1 file manifest bất kì trước khi đẩy lên github và sau đó thì Argocd sẽ decrypt manifest và apply to k8s

[ArgoCD/KSOPS] Encrypting Resource on kustomize and Argocd.
Bài này thì nó chúng ta không depend vào aws hay google để encypt hoặc decypt data.

Lần này chúng ta sẽ sử dụng KSOPS và KMS của aws.

Chúng ta cần cài sops

###-->>> https://pypi.org/project/sops/

apt-get update -y
sudo apt-get install gcc git libffi-dev libssl-dev libyaml-dev make openssl python-dev python-pip
sudo pip install --upgrade sops
Bạn cần tạo trước KMS trên AWS

Bạn cần tạo file config cho SOPS

cat <<EOF > ./.sops.yaml
creation_rules:
  - path_regex: .*.yaml
    encrypted_regex: ^(data|stringData)$
    kms: arn:aws:kms:us-west-2:250887682577:key/c2affea6-1a23-4730-811c-4e00f71b4e1d
    aws_profile: default
EOF

aws_profile là profile trong credential của aws.

giờ mình sẽ tạo file configmap.yaml

vi configmap.yaml

####Content
apiVersion: v1
data:
  exec.enable: 'true'
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/instance: argocd
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd

root@LP11-D7891:~/sops# sops --encrypt --in-place configmap.yaml
INFO found a configuration for 'configmap.yaml' in '../.sops.yaml'
INFO: generating and storing data encryption key

root@LP11-D7891:~/sops# cat configmap.yaml
apiVersion: ENC[AES256_GCM,data:wsg=,iv:rp+e1hzMVMOoUXgu3qvnRj60xWPsBSD9bhSA7g7eL10=,tag:HdtqnI7dWsWV3W8kUB8Vcw==,type:str]
data:
    exec.enable: ENC[AES256_GCM,data:rM28xg==,iv:KpAEhMo0H4ML4CRBqu4sHBFobOtdqt0BOU9AlctM+50=,tag:Snti0P/oX41ZjOCJs8dQ5w==,type:str]
kind: ENC[AES256_GCM,data:VwA00IjAflnu,iv:ENpziSwMg5UkHkzCzFJzba0jcp0RQD2GzyFdfNVUFpo=,tag:+DfGjQob1YD7JatrXGHhag==,type:str]
metadata:
    labels:
        app.kubernetes.io/instance: ENC[AES256_GCM,data:CPO1WFAg,iv:q6js9e1eOJEEaHqvg0F0uYm4qYW3Sso4h2WTa2UmJ4A=,tag:jDCOnNxXrZ0Z9T/4DTL1Xw==,type:str]
        app.kubernetes.io/name: ENC[AES256_GCM,data:1uNgQJXxFw9R,iv:XHUNAZlcpCWj+c9GcV1NkgMDRJFYdxmEzyG8OM86eEg=,tag:xP6479VbKUahQZFjrrR1Jw==,type:str]
        app.kubernetes.io/part-of: ENC[AES256_GCM,data:mKEI3+eq,iv:JPcDPynaSL/vts3uu+KDOa7KFoXBSBvKTKbLLctbtMg=,tag:96tyadobNFj2ohvFxtn0wQ==,type:str]
    name: ENC[AES256_GCM,data:gxyAHqwXycSb,iv:BTM0lb34otc5b+5QbrCvzvMGw+0CpiEhSXww3KD+ovU=,tag:6utKNvvLy8nJFil5KoBikg==,type:str]
    namespace: ENC[AES256_GCM,data:VGbLLxuZ,iv:fYZsXcpB8RJZIEkbnE/WASNA22QsLfiy73wMH2B94Uk=,tag:vW8dDaQNDBN0sAVciQT0oA==,type:str]
sops:
    attention: This section contains key material that should only be modified with
        extra care. See `sops -h`.
    version: '1.18'
    unencrypted_suffix: _unencrypted
    kms:
    -   arn: arn:aws:kms:us-west-2:250887682577:key/c2affea6-1a23-4730-811c-4e00f71b4e1d
        enc: AQICAHieQzzkJQgHz+zSKXuZTbF0N9fOD29+n/pVBcZo8lS4dAGCwuVHO/wUItW+8/YwjIlwAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMk6eWsUcYbrSk+TlUAgEQgDuTVf+uO5uY+mPb3Gkr61BHp9Nm6z+hMEJa6qX7WTDChwqNV01cXIuW9ByXNMLlO+j5olQrkGPOjqv3Ig==
        created_at: '2022-12-01T17:06:14Z'
    lastmodified: '2022-12-01T17:06:14Z'
    mac: ENC[AES256_GCM,data:Mv+AWbwYHYo+eV0GmhpomKhOI1OyjY4CdDVFZSwwuosKJwcecKvhR34rsnRrQhvLHAir6LlZhqPJfg2pO5kze8OSvStVkEBExM8CsO3n2TSIvqO7EoQdor6OVIdAF/z5Og3ZIcEWtcGxhZJJKUqhBwD3fIHAh9Knt4Zf9lfNz38=,iv:pv3l+88TfOhVaPf5S7Y1fQlKo8rgEuWRxsDr/MawZhc=,tag:Nc76oH9Zb4Spp5de21Am5g==,type:str]

Giờ mình đã encrypt được file

Giờ integrate with argocd:

Bạn có thêm tham khảo link này cài argocd thông qua helm
https://github.com/viaduct-ai/kustomize-sops/issues/156

repo argo:
https://argoproj.github.io/argo-helm

values.yaml

configs:
  cm:
    create: true
    kustomize.buildOptions: "--enable-alpha-plugins"

repoServer:
  name: repo-server
  env:
    - name: XDG_CONFIG_HOME
      value: /.config
    - name: AWS_DEFAULT_REGION
      value: eu-central-1
    - name: AWS_ACCESS_KEY_ID
      value: "XXXXXXXXXQSHIIZXXXXXXX"
    - name: AWS_SECRET_ACCESS_KEY
      value: "XXXXXXXXXXXDd9zLTqlMWSAEXXXXXXXX"
  volumeMounts:
    - mountPath: /usr/local/bin/kustomize
      name: custom-tools
      subPath: kustomize
    - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
      name: custom-tools
      subPath: ksops
  volumes:
    - name: custom-tools
      emptyDir: {}
  initContainers:
    - name: install-ksops
      image: viaductoss/ksops:v3.0.2
      command: ["/bin/sh", "-c"]
      args:
        - echo "Installing KSOPS...";
          mv ksops /custom-tools/;
          mv $GOPATH/bin/kustomize /custom-tools/;
          echo "Done.";
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools

Encrypt Data in Your Application and Integrate with Argocd.

Giờ cần tạo push file mà bạn đã encrypt lên git và create 1 application trên argocd để kiểm chứng bạn có thể tham khảo link bên dưới
https://nimtechnology.com/2022/07/03/argocd-ksops-encrypting-resource-on-kustomise-and-argocd/

ArgoCD

Post navigation

Previous Post: [Bitnami Sealed Secrets] How to save secrets On GitHub.
Next Post: [AWS] Solutions Architect Professional: Lesson 1 – Identity & Federation

More Related Articles

[ArgoCD] Thiết kế App of Apps trong ArgoCD ArgoCD
[Argo-Notification] fix the problem: bad character U+005B ‘[‘  ArgoCD
[Argocd] Creating an Application of Argocd is related to helm public and repo helm ArgoCD
[ArgoCD Image Updater] How does Argocd trigger images on Dockerhub and deploy workload on k8s automatically? ArgoCD
[XAMPP] Error: MySQL shutdown unexpectedly ArgoCD
[ArgoCD]Hướng dẫn cấu hình argocd deploy application trên k8s bằng helm ArgoCD

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tham Gia Group DevOps nhé!
Để Nim có nhiều động lực ra nhiều bài viết.
Để nhận được những thông báo mới nhất.

Recent Posts

  • [Smartctl] Instruction check the health disk of Raspberry. January 16, 2023
  • [kubectl/Argocd] How to create a kubectl config file for serviceaccount or from the cluster secret of Argocd January 12, 2023
  • [Helm/Github] Create a public Helm chart repository with GitHub Pages January 8, 2023
  • [AWS] How to increase the disk size of a Windows EC2 machine? January 4, 2023
  • [Redis] ElastiCache-Redis Cross-Region Replication|Global DataStore January 3, 2023

Archives

  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021

Categories

  • BareMetal
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Git
      • Bitbucket
    • Harbor
    • Jenkins
    • Spinnaker
    • TeamCity
  • Coding
    • Golang
    • Jquery & JavaScript
    • Laravel
    • Python
    • Selenium
    • Terraform
      • AWS – Amazon Web Service
      • GCP – Google Cloud
  • Kubernetes & Container
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Docker
    • Helm Chart
    • Isito-EnvoyFilter
    • Kubernetes
      • Ingress
    • Longhorn – Storage
    • Vault
    • VictoriaMetrics
  • Log & Monitor
    • ELK
      • Kibana
      • Logstash
    • Grafana
    • Prometheus
  • Uncategorized
  • Admin

Copyright © 2023 NimTechnology.