UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Commit 71096dc1 authored by Christopher O'Connell's avatar Christopher O'Connell
Browse files

Merge branch '1896-documentation-update' into 'master'

Resolve "Documentation Update"

Closes #1896

See merge request !5585
parents cf46ba5f cbf9fbff
No related branches found
No related tags found
1 merge request!5585Resolve "Documentation Update"
Pipeline #3842122 passed
......@@ -100,7 +100,7 @@ Follow instruction in [CI-Workflow](./docs/developer/ci-workflow.md) for specifi
## How to Contribute
1. Fork this repository, develop, and test your changes.
1. Fork this repository, develop, and test your changes. (if you do not have permissions to fork the repository, You can download the repo as a tar.gz file and upload to your own repo in your Gitlab instance instead)
1. Submit a pull request.
1. Keep an eye out for comments. From bots and maintainers to ensure CI is passing and issues or suggestions are addressed.
......
......@@ -84,8 +84,38 @@ SOPS uses `.sops.yaml` as a configuration file for which keys to use for newly c
```
### GCP KMS
- If using a GCP KMS key, you can skip the section: "Create GPG Encryption Key". Instead, in your .sops.yaml file (note - this is a hidden file at the root of this directory) use this configuration instead
of the GPG config:
```yaml
creation_rules:
- encrypted_regex: '^(data|stringData)$'
gcp_kms: <gcp resource name of key>
```
Key resource name should look like: ```projects/{PROJECT_ID}/locations/global/keyRings/{KEY_RING_NAME}/cryptoKeys/{KEY_NAME}_**```
If you get errors about the key not working, try re-logging in to GCP:
```gcloud auth application-default login```
And make sure you have the right project set:
```gcloud config set project <project_id>```
Also make sure you have these IAM roles on your GCP account:
```shell
roles/container.admin
roles/iam.serviceAccountAdmin
```
The KMS key also needs IAM permissions, and needs to be linked back to the flux-controller in the cluster. You need to create a service account and role binding, then manually annotate it:
```kubectl annotate serviceaccount kustomize-controller --namespace flux-system iam.gke.io/gcp-service-account=flux-service-account@<project_id>.iam.gserviceaccount.com```
GCP uses Workload Identity to allow the flux-controller to use the service account, good references for this setup are here. Make sure you enable Workload Identity on the cluster nodes:
[GCP Docs](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
[Medium Article](https://medium.com/the-telegraph-engineering/binding-gcp-accounts-to-gke-service-accounts-with-terraform-dfca4e81d2a0)
TBD - [This article](https://blog.doit-intl.com/injecting-secrets-from-aws-gcp-or-vault-into-a-kubernetes-pod-d5a0e84ba892) may help to automate secret consumption in Kubernetes.
### Azure KeyVault
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment