Guardrails That Stop It

• No Plaintext in Git: Any file under flux/secrets/ must be encrypted.
• sops-age Secret: Must exist in the flux-system namespace for decryption to work.
• no-secrets Hook: Local pre-commit hook that blocks files like kubeconfig or .env.
• flux-kustomize-validate Hook: Ensures your secret wiring is syntactically correct before commit.

Safe Workflow (Step-by-Step)

1. Verify Prerequisites: Ensure sops and age are installed locally.
2. Check for Key: Ensure the sops-age secret exists in your cluster:

   kubectl -n flux-system get secret sops-age
   

3. Create Secret: Use the helper script to create and encrypt your secret:

   scripts/sops-encrypt-secret.sh develop backend-secrets
   

4. Update Kustomization: Add the new .yaml file to flux/secrets/develop/kustomization.yaml.
5. Commit and Push: Add the encrypted file and the kustomization update to Git.

CI/Logs Guardrails

• Never print secrets: Avoid echo $SECRET in CI pipelines.
• No verbose traces: Do not use set -x in scripts that handle secrets.
• Check existence only: Verify that a secret exists without dumping its values:

  kubectl -n develop get secret backend-secrets -o name
  

Key Rotation

To rotate your Age keys and re-encrypt secrets:

1. Generate a new key: age-keygen -o age-new.agekey.
2. Update .sops.yaml: Replace the old public key with the new one.
3. Re-encrypt: Run sops rotate --in-place <file> for every secret.
4. Update Cluster: Delete and recreate the sops-age secret in flux-system.

This builds on: IaC workflows (Chapter 02) — secrets are part of the state model. This enables: GitOps (Chapter 04) — Flux decrypts secrets inside the cluster.