Merge pull request #2 from swade1987/age

feat: migration to using age for encryption/decryption tool

.gitignore

@@ -1,3 +1,4 @@
 .idea/
 _test/
 .DS_Store
+/secrets/age-key.txt

.sops.yaml

@@ -4,14 +4,12 @@ creation_rules:
     encrypted_regex: "^(data|stringData)$"
     shamir_threshold: 1
     key_groups:
-      - kms:
-          - arn: arn:aws:kms:us-west-2:<redacted>:key/1913ee1f-6c69-4e91-abe9-8bab6b89ab88
-            role: arn:aws:iam::<redacted>:role/flux-secrets-us-west-2
+      - age:
+          - age1jt42rcckms34skz77t56wvtqxy56n9s0flttavg5qm240aghqg5svglwz9
 
   - path_regex: secrets/us-west-2-platform-engineering-sbx
     encrypted_regex: "^(data|stringData)$"
     shamir_threshold: 1
     key_groups:
-      - kms:
-          - arn: arn:aws:kms:us-west-2:<redacted>:key/fedbdab9-12ed-4ad7-a71d-15c5ba4cb24e
-            role: arn:aws:iam::<redacted>:role/flux-secrets-us-west-2
+      - age:
+          - age1jt42rcckms34skz77t56wvtqxy56n9s0flttavg5qm240aghqg5svglwz9

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 stevenwadeconsulting
+Copyright (c) 2025 swade1987
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -4,8 +4,8 @@ SOPS_VERSION = v3.9.3
 YQ_VERSION = v4.44.3
 
 initialise: init
-	pre-commit --version || brew install pre-commit
 	ag -- version || brew install the_silver_searcher
+	age --version || brew install age
 	pre-commit --version || brew install pre-commit
 	pre-commit install --install-hooks
 	pre-commit run -a

README.md

@@ -1,5 +1,3 @@
-[![kustomize-checks](https://github.com/swade1987/flux2-kustomize-template/actions/workflows/kustomize-checks.yaml/badge.svg)](https://github.com/swade1987/flux2-kustomize-template/actions/workflows/kustomize-checks.yaml)
-
 # Flux SOPs Template
 
 This is an opinionated template to use as a starting point for managing secrets with Flux and SOPs.
@@ -10,11 +8,12 @@ This is an opinionated template to use as a starting point for managing secrets
 
 **Solution:** Encrypt your Secret using a KMS key for the cluster with SOPs.
 
-For more information on Mozilla SOPs see [here](https://github.com/getsops/sops).
+For more information on SOPs see [here](https://github.com/getsops/sops).
 
 ## Features
 
 - Leverages [SOPs](https://github.com/getsops/sops) for encryption/decryption
+- Leverages [age](https://github.com/FiloSottile/age) for file encryption/decryption
 - Commits must meet [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/)
     - Automated with GitHub Actions ([commit-lint](https://github.com/conventional-changelog/commitlint/#what-is-commitlint))
 - Pull Request titles must meet [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/)
@@ -46,13 +45,9 @@ As well as this it validates that unencrypted secrets are not committed to the r
 
 For an example of how to add a secret to this repository see [here](docs/usage.md).
 
-## How does this repository work?
-
-For more information on how this repository works, please read [here](docs/deployment.md).
-
-## Adding a new cluster
+## How does this repository work with Flux?
 
-For more information on how to add a new cluster to this repository, please read [here](docs/adding-new-cluster.md).
+For more information on how this repository works with Flux, please read [here](docs/flux-integration.md).
 
 ## Contributing to the repository
 

bin/decrypt-secrets.sh

@@ -45,9 +45,9 @@ if ! which ag > /dev/null 2>&1; then
 fi
 
 # Make sure you have the latest version of sops installed.
-SOPS_VERSION_CHECK=$(sops --version | grep -c "3.6.1")
+SOPS_VERSION_CHECK=$(sops --version | grep -c "3.9.3")
 if [ "${SOPS_VERSION_CHECK}" -ne 1 ]; then
-  echo 'Please install sops v3.6.1'
+  echo 'Please install sops v3.9.3'
   exit 1
 fi
 

bin/encrypt-secrets.sh

@@ -79,9 +79,9 @@ if ! which ag > /dev/null 2>&1; then
 fi
 
 # Make sure you have the latest version of sops installed.
-SOPS_VERSION_CHECK=$(sops --version | grep -c "3.6.1")
+SOPS_VERSION_CHECK=$(sops --version | grep -c "3.9.3")
 if [ "${SOPS_VERSION_CHECK}" -ne 1 ]; then
-  echo 'Please install sops v3.6.1'
+  echo 'Please install sops v3.9.3'
   exit 1
 fi
 

docs/flux-integration.md

@@ -0,0 +1,52 @@
+# Deployment mechanism
+
+As you are probably aware we use the GitOps controller [Flux](https://github.com/fluxcd/flux2) to sync workloads into our clusters. This repository is no different in this regard.
+
+Flux has in-built support for [SOPs](https://github.com/getsops/sops) for more information see [here](https://toolkit.fluxcd.io/guides/mozilla-sops/).
+
+## Technical overview
+
+Create a secret with the age private key, the key name must end with .agekey to be detected as an age key:
+
+```
+cat example/age-key.txt |
+kubectl create secret generic sops-age \
+--namespace=flux-system \
+--from-file=age.agekey=/dev/stdin
+```
+
+Finally set the decryption secret in the Flux Kustomization to `sops-age`.
+
+```
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: k8s-secrets
+  namespace: flux-repos
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  secretRef:
+    name: automator-ssh-keypair
+  timeout: 60s
+  url: ssh://[email protected]/swade1987/flux2-sops-template
+---
+
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: k8s-secrets
+  namespace: flux-repos
+spec:
+  interval: 10m0s
+  sourceRef:
+    kind: GitRepository
+    name: k8s-secrets
+  prune: true
+  # THIS IS THE IMPORTANT SECTION BELOW
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+```

docs/pre-reqs.md

@@ -10,7 +10,7 @@ make initialise
 
 The above command will install the `pre-commit` package and setup pre-commit checks for this repository.
 
-## SOPS
+## SOPS & AGE
 
 sops is a way of encrypting files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault and PGP
 
@@ -21,38 +21,3 @@ To download SOPs simply execute the following command:
 ```
 make init
 ```
-
-## AWS CLI configured
-
-As we are using KMS to encrypt our secrets you need to have your local AWS CLI configured correctly.
-
-All IAM roles that are required to be assumed by this repository need be assumed by any user using this repository.
-
-Once you have obtained credentials for your user you will need to perform the following steps
-
-### 1. ~/.aws/credentials
-
-You need to add your credentials for your user to `~/.aws/credentials` (see example below).
-
-```
-[users]
-aws_access_key_id=XXXXXXXXX
-aws_secret_access_key=XXXXXXXXX
-```
-
-### 2. ~/.aws/config
-
-You need to add a profile for `users` to `~/.aws/config` (see example below).
-
-```
-[users]
-region=eu-west-1
-```
-
-### 3. Export your profile
-
-To use this repository you need to export the `users` profile locally (see command below).
-
-```
-export AWS_PROFILE=users
-```

example/age-key.txt

@@ -0,0 +1,3 @@
+# created: 2025-01-23T14:25:38Z
+# public key: age1jt42rcckms34skz77t56wvtqxy56n9s0flttavg5qm240aghqg5svglwz9
+AGE-SECRET-KEY-1V4WP4Z9AJN9XQ4NFPD9AYHSFEZ6DK736DPU70AK7MVSRMGYFE55QUFL9HC

secrets/us-west-2-platform-engineering-prd/flux-system/flux-system-slack-token.yaml

@@ -4,20 +4,25 @@ metadata:
     name: slack-token
     namespace: flux-system
 data:
-    token: ENC[AES256_GCM,data:j0W1nZiiRVq7e0oiz44D1v4OfPg8nGhlL+MRLYP+AahHP8G63SME4a6i7mjlq/Ej9Vd5u6Yr1Q1Ptr7JunJjrYpX2yIhS5Dtbmh8xg==,iv:+yG49lREsTWmuFmRUbZFgzuqnYNyAxnaweJkGjYs9Ro=,tag:3xt7mUIeQedZag3oyFtrzg==,type:str]
+    token: ENC[AES256_GCM,data:vSOiv1Z0m1d4DwwvexWaOY8hRTaB0EV6Zw==,iv:4Jreltb0NK+VV1ePuyDEiYxBzlGlVQaErSo1LZohNcA=,tag:SqZySN21SdlOT0oONmMLOA==,type:str]
 sops:
     shamir_threshold: 1
-    kms:
-    -   arn: arn:aws:kms:us-west-2:<REDACTED>:key/1913ee1f-6c69-4e91-abe9-8bab6b89ab88
-        role: arn:aws:iam::<REDACTED>:role/flux-secrets-us-west-2
-        created_at: '2023-10-10T12:22:35Z'
-        enc: AQICAHgDvRnZl2sZA7AClbsNoi8M319TN2/IrYckwZ5etY3ADgE4Q6FT6HTEEkpS+ybuNiUUAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMLF8Fk2CNv+rlwKlvAgEQgDvGshebNDMWIZW3iv2fhA+VHv4qMPbSOb+p/rWvPwODofz40+HfbXhvdGKxfs04m4LqYikbVtpwGoI5Dw==
-        aws_profile: ""
+    kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    lastmodified: '2023-10-10T12:22:36Z'
-    mac: ENC[AES256_GCM,data:0cWYFqYAAfbA+K32hb88LCw678Xh5wGKWJzrP7P+YGwaRgBSwsfSArlbmQjN9bVf41GIPSlDYVwXMUnAku9OGgV1yoyiBFH+rnKxq2MUwZblY1R1AusbJEogFPH82Ds75UHWLklscHr4tOfY7UVaRNsUZzcOIj6qPfBP5y6VlTg=,iv:mdrYavCwcgNjmxbrGwXR5WCoEJKjn5J5qL6VJ7E26p4=,tag:B9g6QXZjNQNV3jQzeckdlA==,type:str]
+    age:
+        - recipient: age1jt42rcckms34skz77t56wvtqxy56n9s0flttavg5qm240aghqg5svglwz9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZ1ZzSVE0WGs3WXI3T3pI
+            NXpmODMwcWxMVHVBdTdSMW1zcDVkbjEvZmtVCjNIZlFoaUtpdFduMFJkTlFpcENS
+            TnVuSk1aWnNBUTVmaWlVTDV0Njd2SzAKLS0tICtvUlNPdHFOcFZlWXp5S3JqK1NZ
+            Nk8rRExBMVM2cU9PbkhtVUgwdWhEdTQKztuaZK5Iy6HXdFbXqu2qPDfNNtjkvo0N
+            6HnNmUdKpuks57dJg56BpFteid2AkND2u4ga34zJuXJIDkF0iyH1PQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-23T15:03:10Z"
+    mac: ENC[AES256_GCM,data:cJywOskVM2Hobd504xj+AdIUJlsvHiFvuQX+xnmHxdliQddnLJkr76SxnPDaCo3uaLjohhpXnyelzLKFHUulNnPuQTZtz28YITGDTplfieaYYiBwCYldvUkZ04TQk/2FR/DfwZxf8sDdKjTcATU6Ywn7BbAgfVo4AuI4s1FPvKM=,iv:0iap2EHlbUb3JNSqkW1vyT+oNip/eYqCVNljecknmO0=,tag:vZoHu9QuBmSOhceWbnPjcg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
-    version: 3.6.1
+    version: 3.9.3