I use a .env file which is encrypted using git-crypt and is referenced in any script below. I have provided a .env.sample file which should show all the environment variables potentially needed for any of the following to function. If copying this repo, you may want to re-initialize git-crypt and copy the .env.sample file to .env and over-write default values with your specific ones.
setup/install-tools-setup.sh
Simply run ./bootstrap-cluster.sh located in this directory to setup the cluster. This does the following things:
- Sets up sealed-secrets key
- If key does not exist, it will generate one (encrypted with git-crypt)
- Installs flux2
This script was originally pulled from billimek/k8s-gitops but may have some modifications based on my needs.
The bootstrap-secrets.sh script has been added to take care of pushing a common key to teh cluster so that secrets can survive a cluster rebuild. It gets run as part of the bootstrap-cluster.sh script but can be run again individually if a new secrets key needs to be generated. If a new key is generated and uploaded, delete the sealed secrets controller and let flux rebuild it to pull in the new key. kubeseal needs to be told to use the new public key, I use an alias to ensure its always used: alias TBD.
The script seal-secrets.sh will take care of encrypting defined secrets using a *.template file located in the directory you wish the secret to be stored. Take a look at flux-system-extra/github-alerts/github-api-token for an example of what one of the template files looks like. For the script to function you must have kubeseal installed and the proper sealed-secrets.crt file in the setup directory. Definitions for what secrets need to be encrypted are currently part of the script itself.