在我们的团队中,有多个人处理Kubernets中的生产环境。对于每项服务,我们都会维护一个单独的Kubernets秘密文件。问题是,每当一个秘密值发生变化时,就很难在维护人员之间进行分配,也很难跟踪变化。我们可以维护git-reo来解决这个问题,但将DB凭据存储到普通文件中是有风险的。这里有一个方便的SOPS,Mozilla广泛使用它来保守他们的秘密。SOPS的基本概念非常简单,通过使用SOPS,您可以使用所有维护者的公共加密密钥来加密您的秘密文件。然后将加密的文件存储在git存储库中。每当你或你的团队成员需要实际的文件时,只需使用SOPS解密文件。SOPS最好的部分是它可以识别文件类型,只加密值而不是密钥。由于它只对值进行加密,git历史记录可以指出哪些密钥值被更改了。SOPS支持多种加密机制,但在本文中,我只关注gpg密钥。
GnuPG安装
正如我提到的,我将只关注gpg密钥加密,你需要在你的系统中安装GnuPG来生成gpg密钥。你可以使用二进制安装程序安装GnuPG,我更喜欢使用Homebrew,
>>> brew install gnupg2
现在您要生成您的gpg密钥,在运行以下命令后,您将被要求输入您的姓名和电子邮件地址。如果您的所有信息都可以,请按“O”并点击回车键,控制台会要求您设置一个可选的密码,如果您不想设置密码,请按OK。
>>> gpg --generate-key gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.Note: Use "gpg --full-generate-key" for a full featured key generation dialog.GnuPG needs to construct a user ID to identify your key.Real name: Mr. x Email address: mr.x@email.com You selected this USER-ID: "Mr. x <mr.x@email.com>"Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 411F71D23B22E116 marked as ultimately trusted gpg: revocation certificate stored as '/Users/rana/.gnupg/openpgp-revocs.d/0AB19F525F991CC847F744CA411F71D23B22E116.rev' public and secret key created and signed.pub rsa2048 2019-05-17 [SC] [expires: 2021-05-16] 0AB19F525F991CC847F744CA411F71D23B22E116 uid Mr. x <mr.x@email.com> sub rsa2048 2019-05-17 [E] [expires: 2021-05-16]
您已经生成了密钥和指纹(0AB19F525F991CC847F744CA411F71D23B22E116),现在将您的公钥注册到公钥服务器,例如http://keyserver.ubuntu.com/。 为此,只需导出您的公钥并将其粘贴到密钥服务器的大盒子中,然后按提交即可。 要导出您的公钥,请运行以下命令
>>> gpg --armor --export mr.x@email.com -----BEGIN PGP PUBLIC KEY BLOCK-----mQENBFzeQjABCACpKlgNWMQJolFZhs5gqeyWevYJ7QtPsF4LpX3AHxJSRBcYCZk9 pYaMCxCcU8tDRxgYpVace90DcP6MnyddKq0L+948fWpjZUqSlE/BByitkdhY834z 8noXyky+GLJ+5YJgEBwGK7mF32B1yFga057wK7p+8ziGsQ3Ib4nDCiVfbD5suiGa FpwWMxU/15Tx+2i+6TZKmwtCR3bIPuYa0x0P0nQphAKD1LrSMjUu3BEgv4abrl1x W9iFEKtk3jcfwWYCvFOHB0BuwFnTqqkmm+YJP+J6Qf6PTl/Z0N0YLFMDyWv347W+ l2UwIvxYpUSvrPhegzLUzhXfBubZ/bCXzuodABEBAAG0Fk1yLiB4IDxtci54QGVt YWlsLmNvbT6JAVQEEwEIAD4WIQQKsZ9SX5kcyEf3RMpBH3HSOyLhFgUCXN5CMAIb AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBBH3HSOyLhFrJRCACg rwsNYYvgrr4LRntxXdYrP32Hg23G4w6mWCngk0kHH7djCSzSeVRcPPPG+rkUN+xt QAIKuCnrAx4wH+lgINJ1BGf8CeAFPVRwNMxyB0OfU1ersTlOoPd0JubFWx647nuq RBh6cpjyPP4T/JUGmqzYlHTJU3UlKu7zWdvrqnh0DInqkB7n/TmJrULLIJOXJxXD fKCHC6nOQ52A7NhZMjn8jTFdtwEAvoih2H5jwrJ+/6srDnTZ8Hv5FunHxgeNS5LH /JjDSk2Z5FF1+BwSdN6BQdiRLC6607qRGnnYY2QDaiixwDyZF73xbbeeVgA+HP7F 9+Fsc/y+VjCVAVcp1gFbuQENBFzeQjABCADDeHfFyYQkILPk12Vf/PXF753uBup5 z1IYjGAf9TjwwdGq/VeS+4pTIYjTVU51+SEF2ezv7o+ml8kSQwU3ZoysPFE0pi6O huG/mo4oB7vv9wKZXf5OUjaKJXCVL05/GjHaRnFr/uJC9Rv7p6Nbyafr8ZBFzimu X08Df+HuFuLpENcctfDW9GKmxMwE9pTYMciAGcg0a5F29CISJEQdaX4hCYxF10RD 7BadXxf+l2GF8P1rLL8Cps2vM5QL4IhXlkvSX9gi+Hyg/DgL56RwAA18kYaQTMop HrxawWxYmCv//2N4xZuvUKNghoh52gmDuPUbbBvFXBfsgs9a9fd1DGJTABEBAAGJ ATwEGAEIACYWIQQKsZ9SX5kcyEf3RMpBH3HSOyLhFgUCXN5CMAIbDAUJA8JnAAAK CRBBH3HSOyLhFhzuB/0aB5IRnFMN6DZjLZbU+SeviI++AwsS3pBSZcCGAG4wm00H 0GbXv6ag8EGnACEpiRQ+bjMw5iySYAZZ1CJlRGT2xdupy9KWQIUp8p0tHpjHnwRv jxkk+6omW/SA/Apg/WJHVOYm9Csv2wyAtGw1ykV62gzbEcg5396Xlgqtb26tFTfP tJx7HRBntl8cL7BKqONox1rIs9SIlZ3yjb2nDmFk1X2W8uP+VnRsqX5v/6FcPHZL LtY+6/Yc133q3YuBo2NzrOttCIvxcw8EgApmxcTcM5bZsyNI12vdksOYN9zwxomW buccuqGEXERbq+Op1NU7/c5nSM9fR6Efq7K5UZLl =PYP/ -----END PGP PUBLIC KEY BLOCK-----
SOPS安装
对于sop的安装,Golang是先决条件。请确保您已经安装了Golang。所以就跑吧
>>>go get-u go.mozilla.org/sops/cmd/sops
如果Golang bin路径没有安装您的路径变量,您将无法全局访问sops二进制文件。要全局访问sops二进制文件,您可以使用路径变量装载Golang bin路径,或者只需将sop二进制文件复制到系统bin文件夹中。现在您必须设置一些环境变量。打开您的shell配置文件(在我的例子中是.zshrc)并导出以下变量
export SOPS_GPG_EXEC=“GPG” export SOPS_PGP_FP=“15EAB6D9F4D4C305B78E3388FDCAF78DECEB84EB” export SOPS_GPG_KEYSERVER=“KEYSERVER.ubuntu.com”
SOPS_GPG_EXEC是GPG二进制文件。SOPS_PGP_FP是一个以逗号分隔的方式列出的指纹列表,为您添加所有团队成员的指纹,以便您访问您的机密。SOPS_GPG_KEYSERVER用于指向您和您的团队成员已注册公钥的密钥服务器。
使用SOPS
假设我们有一个“secrets-dec.yaml”文件,其中包含非常重要的密钥foo和超机密值栏
要加密,请运行以下命令
>>> sops -e secrets-dec.yaml > secrets-enc.yaml
>>> cat secrets-enc.yaml
foo: ENC[AES256_GCM,data:lLNm,iv:quQDpvEezvAv7vu8D8KOzXl2pbTLbhtCG5E6UwJwXk4=,tag:q0kuoGQraWWYxhVkbnwU6g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
lastmodified: '2019-05-17T05:56:21Z'
mac: ENC[AES256_GCM,data:Jku7XHp9qM6SiY0QmqzjG+n285nLWcaceEmLA3B2A7OcnMqTpT8Vz7U8ibrzVBfHKsaZGvbKgA+S7bYI27aUfOGJP0n5FcQrWmMi09dUxVElXefjp57O7zmS2IqcRQfOHn9EdUM3QUN0dr35fYAE+7NlaXe4WQ3o2OjpfMSsLN0=,iv:vcwVusEkNAx+UHqbYJ3LdKcqGDvfWNaCH49jbcwcXbg=,tag:bVlxYilnU+NCNKeBF/QLbQ==,type:str]
pgp:
- created_at: '2019-05-17T05:55:16Z'
enc: |
-----BEGIN PGP MESSAGE-----hQEMA5Z1h+jahM/SAQf8CnoK+jJ4kfGA7BiP0XftoRnTZgzGh0haChY/nI2J3yAd
o5P4BmQBlm9xgxHg4QOUVSmwBRZ87lK/cgrrm+nXCMUZRtdxY/WBY3ELKNIy5A6M
Pw4V4l5R+o6Z6up7JwLqbrDXjO1Ll48NdQBLGGb6cnXB5OskHbbHKKEtligBaPHE
harHh1vlp4z7L6RPv5+IqZK8waX8ENG1RSODyK6Hj04qyUOT3pq8qZ71PSw+q7Rv
ciPeV5SwXfAZ8QTGYa8m3T/pdYOxlwEjT5Xr7Dqy2wzzp9w3IES4XYhMPxbFS1rQ
6Zp+YBQUrKyU+efzxcVcBUL4+nsqWqn2dk5SKfrX2NJeAf3GO2UHagi3f2aix5xQ
OVD2aDe0z9f29/imx6EqlgbU3mQrqL0AgZcHiJRRGr4VOpeG5KBRs8wtNEJYHh2v
NpUbuUfq1cace+7nRcXKzf7VTfSpPDR8Apa/fWGeYA==
=1Z6N
-----END PGP MESSAGE-----
fp: 15EAB6D9F4D4C305B78E3388FDCAF78DECEB84EB
unencrypted_suffix: _unencrypted
version: 3.3.0
sop最棒的地方是,它只会加密你的价值观。因此,如果您更改任何值,git-diff可以向您显示更改的键。每当您需要解密文件时,只需运行以下命令
>>> sops -d secrets-enc.yaml > secrets-dec.yaml >>> cat secrets-dec.yaml foo: bar
所以这是基本的sops去扔。sop有一些很棒的功能,要了解更多关于sop的信息,请阅读他们的完整文档。
小贴士
您可以维护一个约定,即每个未加密的文件都将以“-dec”结尾
加密后的文件将以“-enc”结尾,然后将以下模式添加到.gitignore文件中
*-dec.{your file extension}
