I have configured Flux to use SOPS to decrypt. Here's a brief highlight of what I did. In the gotk-sync.yaml file I have added the decryption property.
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 10m0s
path: ./clusters/my-cluster
prune: true
sourceRef:
kind: GitRepository
name: flux-system
decryption:
provider: sops
secretRef:
name: my-private-key
The secret my-private-key is created correctly and has the private key.
I have pushed the file and the change has taken effect.
In my application repo I have a secret file.
apiVersion: v1
kind: Secret
metadata:
name: mysqlcreds
type: Opaque
data: null
stringData:
DB_USER: bugs
DB_PASSWORD: bunny
I'm encrypting this file with SOPS and pushing it. Flux picks up the change and reconciles. But the stringData values remain encrypted. My application gets these values from the environment variable and they show up encrypted like this:
ENC[AES256_GCM,data:PdU1ex4H,iv:p5u11vsmHc/tBVGV2g9kTsMSFvQDiYNEwFVeEeMg/pY=,tag:/JTTNNRnYh076EPAd8c/LA==,type:str]
I can't figure out why Flux is not decrypting the data. How do I debug this? flux logs shows nothing wrong.
I was enabling SOPS for the wrong Git repo. I had to do that for my application git repo's Kustomization.
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: my-demo-webapp
namespace: flux-system
spec:
interval: 5m0s
path: ./flux-config
prune: true
sourceRef:
kind: GitRepository
name: my-demo-webapp
targetNamespace: default
decryption:
provider: sops
secretRef:
name: my-private-key
After that decryption worked fine.