-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path.sops.yaml
34 lines (34 loc) · 1.5 KB
/
.sops.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
---
# NOTE: This file is used for sops-based secret creation, not for decryption.
# When sops creates a new file, it will use the rules defined here.
# The instructions on how to decode each secret is embedded into the secret YAMLs themselves.
creation_rules:
# These secrets are used during infrastructure creation.
# Namely: used in operations with Terraform, Proxmox, and similar.
- path_regex: infrastructure\/.+\.sops.ya?ml
input_type: yaml
encrypted_regex: ^(data|stringData)$
key_groups:
- kms:
- arn: arn:aws:kms:us-east-1:912910253002:key/4e8ebbba-aa59-46c7-9ac7-b38b1bd1ef31
# These secrets are used during the initial bootstrapping phase of Kubernetes and
# should also be decryptable byo both age and KMS.
# The KMS backup is useful since the age key can be recovered from the KMS key and the `age.bootstrap.sops.yaml` file.
- path_regex: kubernetes\/.+\.bootstrap.sops.ya?ml
input_type: yaml
encrypted_regex: ^(data|stringData)$
key_groups:
- age:
- age1jzax78wrm0emunjs6gev7ahxzlzuazd3j6fwql2q532ymnsm8qvqtps9te
kms:
- arn: arn:aws:kms:us-east-1:912910253002:key/4e8ebbba-aa59-46c7-9ac7-b38b1bd1ef31
# These secrets are decrypted by Flux at deploy time and only need/have the age key.
- path_regex: kubernetes\/.+\.secrets?.sops.ya?ml
input_type: yaml
encrypted_regex: ^(data|stringData)$
key_groups:
- age:
- age1jzax78wrm0emunjs6gev7ahxzlzuazd3j6fwql2q532ymnsm8qvqtps9te
stores:
yaml:
indent: 4