Giter Club home page Giter Club logo

flux-docker-for-mac's Introduction

My Docker for Mac Cluster State

Encryption Config

conf.yaml:

---
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - kms:
          name: sops
          endpoint: unix:///var/lib/sops/sops.sock
          cachesize: 100
          timeout: 3s
      - identity: {}

Start kube-apiserver with --encryption-provider-config /path/to/conf.yaml

Docker for Mac

Setup

Launch sops keyservice (maybe need to create /var/lib/sops inside Docker VM first; see later to enter Docker VM):

GOOS=linux GOARCH=amd64 go build go.mozilla.org/sops/v3/cmd/sops && \
docker-run-cwd \
   -v "/var/lib/sops:/inside-k8s" \
   -v "./sops-conf/sops.yaml:/etc/sops/conf.yaml:ro" \
   -v "./sops-conf/gnupg:/root/.gnupg" \
   gpg \
   ./sops --config /etc/sops/conf.yaml keyservice-k8s --verbose --path /inside-k8s/sops.sock

For everything below, create missing folders if needed.

First, go in the Docker for Mac VM:

docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i sh

Create the EncryptionConfiguration above at /run/config/k8s-encryption/encryption-config.yaml.

Then edit /etc/kubernetes/manifests/kube-apiserver.yaml.

  • Add the following in spec.containers[0].command:

    - --encryption-provider-config=/run/config/k8s-encryption/encryption-config.yaml

  • Add the following volume mount paths:

    - mountPath: /var/lib/sops
      name: sops
      readOnly: true
    - mountPath: /run/config/k8s-encryption
      name: k8s-encryption
      readOnly: true

  • Add the following volumes:

  - hostPath:
      path: /var/lib/sops
      type: Directory
    name: sops
  - hostPath:
      path: /run/config/k8s-encryption
      type: Directory
    name: k8s-encryption

To check secrets are encrypted

Create a new secret, then inside etcd pod:

ETCDCTL_API=3 etcdctl get --hex --endpoints https://localhost:2379 --cacert /run/config/pki/etcd/ca.crt --key /run/config/pki/etcd/server.key --cert /run/config/pki/etcd/server.crt /registry/secrets/your-secret-ns/your-secret

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.