Kuberig

Kuberig

  • Docs
  • Blog
  • Help

›Reference

Getting started

  • Intro
  • Quick Start
  • DSL Intro

Environments

  • Initializing an Environment
  • Managing Container Versions
  • Environment Support

Resource Coding

  • Coding Resources
  • Resource Grouping
  • Resource Apply Action
  • DSL Details

Code Samples

  • Defining a ConfigMap
  • Defining a Secret
  • Defining a Deployment
  • Defining a Service
  • Defining an Ingress

Reference

  • Configuration
  • Repository Organisation
  • Encryption Support
  • Service Account Setup

Encryption Support

KubeRig uses the Google Tink library in order to provide encryption support. We are currently using AeadKeyTemplates.AES256_CTR_HMAC_SHA256 keysets. A different keyset file is generated for every environment in the {environment-name}.keyset.json in the environment directory.

You should NEVER EVER commit the {environment-name}.keyset file. If you have used the initEnvironment or initGitIgnore task this file will already get ignored. You should have multiple secure backups of the .keyset files without them you can't decrypt/deploy to the environment.

If you loose a keyset file we can't help you!

In case you use the initEnvironment task encryption setup is setup already and you don't need to create an encryption key manually. The initEnvironment task will also make sure that your .gitignore file is updated.

If you have not used the initEnvironment task you can initialize the .gitignore file using the initGitIgnore task.

Conventions

KubeRig provides some basic conventions to deal with sensitive information in your environment repositories.

But even then it requires a lot of rigor to not accidentally commit sensitive information. You have been warned!

Sensitive Configuration Values

All configuration values for environments go in the {environment-name}-configs.properties file. Sensitive values can be encrypted.

Add your sensitive property and execute the encryptConfig task for the environment with the --key parameter passing in the property key.

The value of the property will be encrypted. You can use the decryptConfig task to update the value back to the plain value.

Remember to encrypt it back before you commit!

Sensitive Files

All configuration files for environments should go in the environments/{environment-name} directory.

Add your sensitive file and prefix it with .plain.. If you have used the initEnvironment task you will notice that the file is already ignored by git.

There are 2 tasks that you can use to encrypt/decrypt files. The encryptFile task that encrypts only the file that you specify with the --file parameter. The encrypt task that encrypts all .plain. files for the environment.

Last updated on 12/30/2020
← Repository OrganisationService Account Setup →
  • Conventions
    • Sensitive Configuration Values
    • Sensitive Files
Kuberig
Docs
HomeQuick StartDSL Intro
Community
Stack OverflowDiscordTwitter
More
BlogGitHubStar
Follow @kuberigio
Copyright © 2021 Rigeldev BV