Core Track Guardrails-first chapter in core learning path.

Estimated Time

  • Reading: 20-25 min
  • Lab: 45-60 min
  • Quiz: 10-15 min

Prerequisites

Source Code References

  • .sops.yaml Members
  • sops-encrypt-secret.sh Members

Sign in to view source code.

What You Will Produce

A reproducible lab result plus quiz verification and incident-safe operating evidence.

Guardrails That Stop It

  • No Plaintext in Git: Any file under flux/secrets/ must be encrypted.
  • sops-age Secret: Must exist in the flux-system namespace for decryption to work.
  • no-secrets Hook: Local pre-commit hook that blocks files like kubeconfig or .env.
  • flux-kustomize-validate Hook: Ensures your secret wiring is syntactically correct before commit.

Safe Workflow (Step-by-Step)

  1. Verify Prerequisites: Ensure sops and age are installed locally.
  2. Check for Key: Ensure the sops-age secret exists in your cluster:
    kubectl -n flux-system get secret sops-age
    
  3. Create Secret: Use the helper script to create and encrypt your secret:
    scripts/sops-encrypt-secret.sh develop backend-secrets
    
  4. Update Kustomization: Add the new .yaml file to flux/secrets/develop/kustomization.yaml.
  5. Commit and Push: Add the encrypted file and the kustomization update to Git.

CI/Logs Guardrails

  • Never print secrets: Avoid echo $SECRET in CI pipelines.
  • No verbose traces: Do not use set -x in scripts that handle secrets.
  • Check existence only: Verify that a secret exists without dumping its values:
    kubectl -n develop get secret backend-secrets -o name
    

Key Rotation

To rotate your Age keys and re-encrypt secrets:

  1. Generate a new key: age-keygen -o age-new.agekey.
  2. Update .sops.yaml: Replace the old public key with the new one.
  3. Re-encrypt: Run sops rotate --in-place <file> for every secret.
  4. Update Cluster: Delete and recreate the sops-age secret in flux-system.

This builds on: IaC workflows (Chapter 02) — secrets are part of the state model. This enables: GitOps (Chapter 04) — Flux decrypts secrets inside the cluster.