From 396c3d7a02f422f1be6187132670a61d844e0b3e Mon Sep 17 00:00:00 2001 From: Joe Monk Date: Sun, 26 Jan 2025 17:54:03 +0000 Subject: [PATCH] Update the readme --- readme.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/readme.md b/readme.md index d0186e2..7b6eb71 100644 --- a/readme.md +++ b/readme.md @@ -58,7 +58,13 @@ I use sops with age to encrypt keys etc in git. Before pushing encrypted keys up, we'll need to re-encrypt them with a new key. From a shell with sops and age installed, and an already known key under `$HOME/.config/sops/age/keys.txt` (or `%AppData%\sops\age\keys.txt`), create a new key in this repo `age-keygen -o age.agekey`. -Add that new public key to the `.sops.yaml`, and push the secret key to the cluster with: +Add that new public key to the `.sops.yaml` + +In fish you can updatekeys in every secret (can just change to the bash equivalent if using bash) +`for file in $(grep --include="*.yaml" -lr "sops:"); sops updatekeys -y $file; end` + +Then push the secret key to the cluster with: +(This will need to be done after the initial flux bootstrap to get the namespace created, bt the keys should be updated first) ```sh cat age.agekey | @@ -68,10 +74,6 @@ kubectl create secret generic sops-age \ ``` Delete age.agekey after sending it to the cluster. -Then update the encryption with `sops updatekeys -y apps/gluetun/secret.yaml`. - -In fish you can updatekeys in every secret (can just change to the bash equivalent if using bash) -`for file in $(grep --include="*.yaml" -lr "sops:"); sops updatekeys -y $file; end` ### Using sops @@ -90,6 +92,11 @@ Install flux and everything in this repo with the following: - `flux bootstrap git --private-key-file=/config/.ssh/gitea --url ssh://git@gitea.home.joemonk.co.uk:2222/joe/gitops.git --branch main --path=clusters/kairos` +### Reconcile + +If changes aren't being brought across correctly (maybe the sops key has been updated after the flux bootstrap...), force a reconciliation with `flux reconcile source git flux-system` +TODO - I don't actually know if this works, or it's just a timed thing that coincides + ## DNS We need to point a dns server to the server so we can access things via hostname rather than needing complex routing.