@@ -100,7 +100,7 @@ Follow instruction in [CI-Workflow](./docs/developer/ci-workflow.md) for specifi
## How to Contribute
1. Fork this repository, develop, and test your changes.
1. Fork this repository, develop, and test your changes. (if you do not have permissions to fork the repository, You can download the repo as a tar.gz file and upload to your own repo in your Gitlab instance instead)
1. Submit a pull request.
1. Keep an eye out for comments. From bots and maintainers to ensure CI is passing and issues or suggestions are addressed.
@@ -84,8 +84,38 @@ SOPS uses `.sops.yaml` as a configuration file for which keys to use for newly c
```
### GCP KMS
- If using a GCP KMS key, you can skip the section: "Create GPG Encryption Key". Instead, in your .sops.yaml file (note - this is a hidden file at the root of this directory) use this configuration instead
of the GPG config:
```yaml
creation_rules:
-encrypted_regex:'^(data|stringData)$'
gcp_kms:<gcp resource name of key>
```
Key resource name should look like: ```projects/{PROJECT_ID}/locations/global/keyRings/{KEY_RING_NAME}/cryptoKeys/{KEY_NAME}_**```
If you get errors about the key not working, try re-logging in to GCP:
```gcloud auth application-default login```
And make sure you have the right project set:
```gcloud config set project <project_id>```
Also make sure you have these IAM roles on your GCP account:
```shell
roles/container.admin
roles/iam.serviceAccountAdmin
```
The KMS key also needs IAM permissions, and needs to be linked back to the flux-controller in the cluster. You need to create a service account and role binding, then manually annotate it:
GCP uses Workload Identity to allow the flux-controller to use the service account, good references for this setup are here. Make sure you enable Workload Identity on the cluster nodes:
TBD - [This article](https://blog.doit-intl.com/injecting-secrets-from-aws-gcp-or-vault-into-a-kubernetes-pod-d5a0e84ba892) may help to automate secret consumption in Kubernetes.
