Bootstrapping Secrets Enterprise
When accessing protected resources there is a need for a client to authenticate before the access is granted and the resource is consumed. For authentication, a client presents credentials that are either created manually or available through infrastructure. A common scenario is to have a secrets store.
Weave Gitops allows you to provision the secret management infrastructure as part of its capabilities. However, in order to provision, as any other application that has secrets, we need to create the secret needed for installing it. This is known as a chicken-egg scenario that get addressed by providing an initial secret. This secret we call it bootstrapping secret.
Bootstrapping secrets comes in handy, not only while provisioning your secrets management solution, but also in any platform provisioning task where the existence of the secret is a prerequisite. Another common example could be provisioning platform capabilities via profiles that are stored in private repositories.
Weave Gitops provides SecretSync as a solution to managing your bootstrapping secrets.
SecretSync
This feature is in alpha and certain aspects will change
We're very excited for people to use this feature. However, please note that changes in the API, behaviour and security will evolve. The feature is suitable to use in controlled testing environments.
SecretSync is a Kubernetes Custom Resource
that provides semantics to sync Kuberentes Secrets from management cluster to leaf clusters.
An example could be seen below:
apiVersion: capi.weave.works/v1alpha1
kind: SecretSync
metadata:
name: my-dev-secret-syncer
namespace: default
spec:
clusterSelector:
matchLabels:
environment: dev
secretRef:
name: my-dev-secret
targetNamespace: my-namespace
Where you could find the following configuration sections:
1) Select the secret to sync:
secretRef:
name: my-dev-secret
2) Specify the GitopsClusters that the secret will be synced to via labels:
clusterSelector:
matchLabels:
environment: dev
Secretsync reconciles secrets on clusters: any cluster at a future time matching the label selector will have
the secret reconciled too.
More info about the CRD spec here
Working with SecretSync
Pre-requisites
- You are using Weave Gitops Enterprise version > v0.19.0
- You have a set of GitopsClusters representing the clusters that you want to sync the secret to. They have a set of labels to allow matching.
Expand to see example
apiVersion: gitops.weave.works/v1alpha1
kind: GitopsCluster
metadata:
namespace: flux-system
labels:
environment: dev
- You have created a secret that you want to sync from the management cluster.
Expand to see example
apiVersion: v1
kind: Secret
metadata:
name: my-dev-secret
namespace: flux-system
type: Opaque
Some restriction apply to the current version:
- Resources should be in the same namespace
- Leaf cluster nodes should be annotated with
node-role.kubernetes.io/control-plane
Syncing secrets via SecretSync
- Create SecretSync manifests that points to your secret. For example:
apiVersion: capi.weave.works/v1alpha1
kind: SecretSync
metadata:
name: my-dev-secret-syncer
namespace: default
spec:
clusterSelector:
matchLabels:
environment: dev
secretRef:
name: my-dev-secret
targetNamespace: my-namespace
Check-in to your configuration repo within your management cluster
Create a PR, review and merge
See the progress
Once reconciled, the status section would show created secret resource version
status:
versions:
leaf-cluster-1: "211496"
- See the secret created in your leaf cluster
Your secret has been created in the target leaf cluster
➜ kubectl get secret -n default
NAME TYPE DATA
my-dev-secret Opaque 1