Differences between revisions 1 and 5 (spanning 4 versions)
Revision 1 as of 2020-05-06 19:57:27
Size: 72
Editor: PieterSmit
Comment:
Revision 5 as of 2020-06-30 09:57:33
Size: 1467
Editor: PieterSmit
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:

Links: https://github.com/mozilla/sops
 * Install plugin to helm {{{
$ helm plugin install https://github.com/futuresimple/helm-secrets
##>> install package sops
 }}}

 * Notes: I missed the fact that helm secrets expect the secret files to be names secrets.yaml (or secrets<xxx>.yaml)
== Using keys in Azure Key vaults ==

 * Create key {{{


AZ_AKV_RG="akv-infra"
AZ_AKV_LOCATION="Australia Southeast"
AZ_AKV_SUBSCRIPTION="Infrastructure"

az account set --subscription "$AZ_AKV_SUBSCRIPTION"
## Create multiple key vaults and keys each in a vault e.g. keya in helm-comp-dev, keyb in helm-comp-prd
ch="fdnb"
for en in prd; do
  AZ_AKV_NAME="helm-$ch-$en"
  echo "AZ_AKV_NAME=$AZ_AKV_NAME , AZ_AKV_LOCATION=$AZ_AKV_LOCATION , AZ_AKV_RG=$AZ_AKV_RG"
  if ! az keyvault create --name $AZ_AKV_NAME --location "$AZ_AKV_LOCATION" --resource-group $AZ_AKV_RG
    then
    echo "ERROR" ; exit 1
    fi
  #now check for kv in dns, it takes a couple of seconds, dont want to polute global dns beore it exists.
  i=0
  
  while [[ i -le 45 ]] ;
  do
    i=$((i+1))
    sleep 1 ; echo "i=$i dns for key vault does not exist yet sleep some more ..."
    done
  echo " Now create key --name $AZ_AKV_NAME in --vault-name $AZ_AKV_NAME "
  az keyvault key create --name $AZ_AKV_NAME --vault-name $AZ_AKV_NAME --protection software --ops encrypt decrypt
done

}}}

k8s/helm/secrets - secure secrets with encryption in helm git repo

Links: https://github.com/mozilla/sops

  • Install plugin to helm

    $ helm plugin install https://github.com/futuresimple/helm-secrets
    ##>> install package sops
  • Notes: I missed the fact that helm secrets expect the secret files to be names secrets.yaml (or secrets<xxx>.yaml)

Using keys in Azure Key vaults

  • Create key

    AZ_AKV_RG="akv-infra"
    AZ_AKV_LOCATION="Australia Southeast"
    AZ_AKV_SUBSCRIPTION="Infrastructure"
    
    az account set --subscription "$AZ_AKV_SUBSCRIPTION"
    ## Create multiple key vaults and keys each in a vault e.g.  keya in helm-comp-dev,  keyb in helm-comp-prd
    ch="fdnb"
    for en in prd; do
      AZ_AKV_NAME="helm-$ch-$en"
      echo "AZ_AKV_NAME=$AZ_AKV_NAME  ,  AZ_AKV_LOCATION=$AZ_AKV_LOCATION  ,  AZ_AKV_RG=$AZ_AKV_RG"
      if ! az keyvault create --name $AZ_AKV_NAME --location "$AZ_AKV_LOCATION" --resource-group $AZ_AKV_RG
        then
        echo "ERROR" ; exit 1
        fi
      #now check for kv in dns, it takes a couple of seconds, dont want to polute global dns beore it exists.
      i=0
      
      while [[ i -le 45 ]] ;
      do
        i=$((i+1))
        sleep 1 ; echo "i=$i dns for key vault does not exist yet sleep some more ..."
        done
      echo " Now create key --name $AZ_AKV_NAME in --vault-name $AZ_AKV_NAME "
      az keyvault key create --name $AZ_AKV_NAME --vault-name $AZ_AKV_NAME --protection software --ops encrypt decrypt
    done

k8s/helm/secrets (last edited 2020-06-30 09:57:33 by PieterSmit)