GitOps with FluxCD
Secret Management Sign Verification
DEMO Mozilla SOPS Admin
In this guide, you’ll learn how to generate an OpenPGP key pair using gpg, export the keys for use with Mozilla SOPS and FluxCD, and then securely clean up local key material. This workflow enables encrypted secrets in GitOps pipelines, ensuring that only Flux can decrypt them in-cluster.
1. Install & Review GPG
First, confirm that gpg is installed:
gpg --version
Then inspect common OpenPGP options:
| Option | Description | Example |
|---|---|---|
-o, --output | Write output to a specific file | gpg -o file.txt --decrypt secret.gpg |
-s, --sign | Create a signature | gpg -s document.txt |
-e, --encrypt | Encrypt for specified recipient | gpg -e -r alice document.txt |
--list-keys | List public keys | gpg --list-keys alice |
--list-secret-keys | List secret keys | gpg --list-secret-keys |
--armor | ASCII-armored output | gpg --armor --export [email protected] |
Note
You can run gpg --help for a full list of options. Use --openpgp to enforce strict OpenPGP behavior.
2. Generate a GPG Key Pair
Create a 3072-bit RSA primary key and subkey with no passphrase or expiration. Replace the real name, email, and comment as needed:
gpg --batch --full-generate-key \
--passphrase '' \
--key-length 3072 \
--subkey-length 3072 \
--exp-date 0 \
--name-real "dev.us-e1.k8s" \
--name-email "[email protected]" \
--comment "k8s"
When complete, note the Key Fingerprint in the output (e.g., 65DD426C08931CDEB33F4DCCE248B2366542A). You’ll use this in subsequent commands.
3. List and Verify Your Keys
View all public keys:
gpg --list-public-keys
Sample output:
pub rsa3072 2023-04-06 [SCEA]
65DD426C08931CDEB33F4DCCE248B2366542A
uid [ultimate] dev.us-e1.k8s <[email protected]>
sub rsa3072 2023-04-06 [SEA]
To filter by fingerprint:
gpg --list-public-keys 65DD426C08931CDEB33F4DCCE248B2366542A
And list secret keys:
gpg --list-secret-keys
4. Export Keys for SOPS & Flux
4.1 Export the Private Key
gpg --export-secret-keys --armor 65DD426C08931CDEB33F4DCCE248B2366542A \
> sops-gpg.key
Warning
Keep sops-gpg.key confidential. This private key will be stored in-cluster as a Kubernetes secret. Never commit it to Git.
4.2 Export the Public Key
Prepare a directory in your Git repository for the public key:
mkdir -p bb-app-source/sops
cd bb-app-source/sops
gpg --export --armor 65DD426C08931CDEB33F4DCCE248B2366542A \
> sops-gpg.pub
Commit sops-gpg.pub so that developers can encrypt secrets:
git add sops-gpg.pub
git commit -m "Add SOPS public key for Flux decryption"
5. Create a Kubernetes Secret for Flux
Import the private key into the flux-system namespace:
kubectl -n flux-system create secret generic sops-gpg \
--from-file=sops.asc=sops-gpg.key
Verify the secret:
kubectl -n flux-system get secret sops-gpg
# NAME TYPE DATA AGE
# sops-gpg Opaque 1 30s
FluxCD will mount this secret to decrypt any SOPS-encrypted manifests in Git.
6. Clean Up Local GPG Material
Once the keys are exported and stored:
rm sops-gpg.key
# Remove both public and secret keys from your local keyring:
gpg --delete-secret-and-public-keys 65DD426C08931CDEB33F4DCCE248B2366542A
Confirm deletion:
gpg --list-secret-keys 65DD426C08931CDEB33F4DCCE248B2366542A
gpg --list-public-keys 65DD426C08931CDEB33F4DCCE248B2366542A
# gpg: error reading key: No public key
7. Summary
You have successfully:
- Generated a 3072-bit OpenPGP key pair without passphrase or expiry.
- Exported and committed the public key for developer usage.
- Created a Kubernetes secret containing the private key for FluxCD.
- Cleared all local key material to maintain security.
You’re now ready to encrypt secrets with sops-gpg.pub in your GitOps repository—Flux will automatically decrypt them in-cluster.
Links and References
Watch Video
Watch video content