Commit 53471345 authored by Suzanne Selhorn's avatar Suzanne Selhorn

Merge branch 'nagyv-gitlab-master-patch-59502' into 'master'

Add GitOps secrets management page

See merge request gitlab-org/gitlab!80947
parents 784cb7ef 35cbdca2
......@@ -112,6 +112,13 @@ gitops:
inventory_policy: must_match # 'must_match' by default
```
## Additional resources
The following documentation and examples can help you get started with a GitOps workflow.
- [Managing Kubernetes secrets in a GitOps workflow](gitops/secrets_management.md)
- [Application and manifest repository example](https://gitlab.com/gitlab-examples/ops/gitops-demo/hello-world-service-gitops)
## Troubleshooting
### Avoiding conflicts when you have multiple projects
......
---
stage: Configure
group: Configure
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
---
# Managing Kubernetes secrets in a GitOps workflow
You should never store Kubernetes secrets in unencrypted form in a `git` repository. If you use a GitOps workflow, you can follow these steps to securely manage your secrets.
1. Set up the Sealed Secrets controller to manage secrets.
1. Deploy Docker credentials so the cluster can pull images from the GitLab Container Registry.
## Prerequisites
This setup requires:
- A [GitLab agent for Kubernetes configured for the GitOps workflow](../gitops.md).
- Access to the cluster to finish the setup.
## Set up the Sealed Secrets controller to manage secrets
You can use the [Sealed Secrets controller](https://github.com/bitnami-labs/sealed-secrets) to store encrypted secrets securely in a `git` repository. The controller decrypts the secret into a standard Kubernetes `Secret` kind resource.
1. Go to [the Sealed Secrets release page](https://github.com/bitnami-labs/sealed-secrets/releases) and download the most recent `controller.yaml` file.
1. In GitLab, go to the project that contains your Kubernetes manifests and upload the `controller.yaml` file.
1. Open the agent configuration file (`config.yaml`) and if needed, update the `paths.glob` pattern to match the Sealed Secrets manifest.
1. Commit and push the changes to GitLab.
1. Confirm that the Sealed Secrets controller was installed successfully:
```shell
kubectl get pods -lname=sealed-secrets-controller -n kube-system
```
1. Install the `kubeseal` command line utility by following [the Sealed Secrets instructions](https://github.com/bitnami-labs/sealed-secrets#homebrew).
1. Get the public key you need to encrypt secrets without direct access to the cluster:
```shell
kubeseal --fetch-cert > public.pem
```
1. Commit the public key to the repository.
For more details on how the Sealed Secrets controller works, view [the usage instructions](https://github.com/bitnami-labs/sealed-secrets/blob/main/README.md#usage).
## Deploy Docker credentials
To deploy containers from the GitLab Container Registry, you must configure the cluster with the proper Docker registry credentials. You can achieve this by deploying a `docker-registry` type secret.
1. Generate a GitLab token with at least `read-registry` rights. The token can be either a Personal or a Project Access Token.
1. Create a Kubernetes secret manifest YAML file. Update the values as needed:
```shell
kubectl create secret docker-registry gitlab-credentials --docker-server=registry.gitlab.example.com --docker-username=<gitlab-username> --docker-password=<gitlab-token> --docker-email=<gitlab-user-email> -n <namespace> --dry-run=client -o yaml > gitlab-credentials.yaml
```
1. Encrypt the secret into a `SealedSecret` manifest:
```shell
kubeseal --format=yaml --cert=public.pem < gitlab-credentials.yaml > gitlab-credentials.sealed.yaml
```
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment