Refactoring GKE deployment and add Sops with Age (#820)

* Update: re init Kubernetes deployment Signed-off-by: Nicolas Lamirault <[email protected]> * Add Flux v0.15.1 component manifests * Add Flux sync manifests * Add: Charts repositories Signed-off-by: Nicolas Lamirault <[email protected]> * Update: charts Signed-off-by: Nicolas Lamirault <[email protected]> * Add: GCP Secret Store CSI driver Signed-off-by: Nicolas Lamirault <[email protected]> * Update: refactoring GCP manifests path Signed-off-by: Nicolas Lamirault <[email protected]> * Update: refactoring CRDs Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Flux deployment Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: daemonset name for CSI driver GCP Signed-off-by: Nicolas Lamirault <[email protected]> * Add: CRD for monitoring Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Secret Store CSI Driver Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Healthcheck for CSI driver Signed-off-by: Nicolas Lamirault <[email protected]> * Add: bump Observability module to v4.2.0 Signed-off-by: Nicolas Lamirault <[email protected]> * Update: documentation Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Sops use Age instead of GCP KMS Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Flux notifications Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Age setup Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Flux system monitoring Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Loki deployment Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Loki kustomization Signed-off-by: Nicolas Lamirault <[email protected]> * Update: rename Operator label Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: Loki configuration Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Inspec GCP Portefaix v0.2.0 Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Vector on GCP Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Thanos Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: Sops Age provider Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: CRD dependencies Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Nginx ingress controller Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Grafana deployment Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: Thanos configuration Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: Vector Kubernetes input Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: Grafana persistence Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Thanos dployment Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: Thanos service accounts Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Thanos healthcheck Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Grafana persistence Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: Grafana dashboards Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: datasources Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: portefaix-hub name Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Grafana deployment Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Grafana deployment Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Grafana as stafefulset Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Grafana dashboards directory Signed-off-by: Nicolas Lamirault <[email protected]> * Update: kube-prometheus-stack v16.13.0 Signed-off-by: Nicolas Lamirault <[email protected]> * Add: missing label Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Velero on GCP Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Helmreleae heatlthcheck for Velero Signed-off-by: Nicolas Lamirault <[email protected]> * Add: cert-manager Signed-off-by: Nicolas Lamirault <[email protected]> * Add: debug on script Signed-off-by: Nicolas Lamirault <[email protected]> * Add: echo to stderr Signed-off-by: Nicolas Lamirault <[email protected]> * Update: change GKE instances Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Thanos Rule service account Signed-off-by: Nicolas Lamirault <[email protected]> * Add: External DNS configuration Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Lets Encrpyt certificate issuers Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: merge values Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: PathType for ingress Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: Ingress PathType Signed-off-by: Nicolas Lamirault <[email protected]> * Update: do not download dashboards Signed-off-by: Nicolas Lamirault <[email protected]> * Update: Chaos tools Signed-off-by: Nicolas Lamirault <[email protected]> * Add: Falco component Signed-off-by: Nicolas Lamirault <[email protected]> * Update: documentation for Makefile goals Signed-off-by: Nicolas Lamirault <[email protected]> * Update: k3s Github action configuration Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: k3s Github action configuration Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: k3s Github action configuration Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: k3s Github action configuration Signed-off-by: Nicolas Lamirault <[email protected]> * Update: change k3s action Signed-off-by: Nicolas Lamirault <[email protected]> * Update: change k3s action Signed-off-by: Nicolas Lamirault <[email protected]> * Fix: k3s action Signed-off-by: Nicolas Lamirault <[email protected]> Co-authored-by: Flux <>
portefaix · Aug 16, 2021 · 8c47d5a · 8c47d5a
1 parent d52fa28
commit 8c47d5a
Show file tree

Hide file tree

Showing 137 changed files with 1,722 additions and 1,081 deletions.
diff --git a/.github/workflows/flux-e2e.yml b/.github/workflows/flux-e2e.yml
@@ -28,70 +28,22 @@ on:
       - 'clusters/**'
       - 'kubernetes/**'
 
-############################################################################
-# Kind
-
-# jobs:
-#   kind:
-#     runs-on: ubuntu-latest
-#     steps:
-#       - name: Checkout
-#         uses: actions/checkout@v2
-#       - name: Setup Kubernetes
-#         uses: engineerd/[email protected]
-#         with:
-#           # version: "v0.9.0"  # Kind version
-#           image: kindest/node:v1.16.9
-#       - name: Check kubernetes
-#         run: |
-#           kubectl cluster-info
-#           kubectl get pods -n kube-system
-#           echo "current-context:" $(kubectl config current-context)
-#           echo "environment-kubeconfig:" ${KUBECONFIG}
-#       - name: Download Flux
-#         run: |
-#           wget https://github.com/fluxcd/flux2/releases/download/v0.2.6/flux_0.2.6_linux_amd64.tar.gz
-#           sudo tar zxvf flux_0.2.6_linux_amd64.tar.gz -C /usr/local/bin
-#           flux -v
-#       - name: Flux
-#         run: |
-#           kubectl apply -f clusters/k3s/cicd/flux-system/gotk-components.yaml
-#           sleep 5
-#           kubectl apply -f clusters/k3s/cicd/flux-system/gotk-sync.yaml
-#           sleep 5
-#           flux check
-#         env:
-#           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-
-      # - name: flux check --pre
-      #   run: |
-      #     ./bin/flux check --pre
-      # - name: flux install --manifests
-      #   run: |
-      #     ./bin/flux install --manifests ./manifests/install/
-      # - name: flux create source git
-      #   run: |
-      #     ./bin/flux create source git podinfo \
-      #       --url https://github.com/stefanprodan/podinfo  \
-      #       --tag-semver=">=3.2.3"
-      # - name: flux create source git export apply
-      #   run: |
-      #     ./bin/flux create source git podinfo-export \
-      #       --url https://github.com/stefanprodan/podinfo  \
-      #       --tag-semver=">=3.2.3" \
-      #       --export | kubectl apply -f -
-
-
 ############################################################################
 # K3S
 
 jobs:
   k3s:
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
-        k8s_version: [v1.18.2-k3s1]
+        # https://github.com/k3s-io/k3s/releases
+        k8s_version:
+          - v1.18.20+k3s1
+          - v1.19.13+k3s1
+          - v1.20.9+k3s1
+          - v1.21.3+k3s1
+
     steps:
     - name: Checkout
       uses: actions/checkout@v2
@@ -103,15 +55,36 @@ jobs:
         CURRENT_BRANCH: ${{ github.head_ref }}
       if: github.event_name == 'pull_request'
 
-    - name: Setup k3s
-      uses: debianmaster/actions-k3s@master
-      id: k3s
+    # - name: Setup k3s
+    #   uses: debianmaster/[email protected]
+    #   id: k3s
+    #   with:
+    #     version: ${{ matrix.k8s_version }}
+
+    # - name: Check nodes on k3s
+    #   run: |
+    #     # To generate kubeconfigs for specific service accounts, current user must have read rights to the cluster-admin kubeconfig folder
+    #     sudo chown $(id -u):$(id -g) /tmp/output/
+    #     # export CLUSTER_ADMIN_KUBECONFIG=$KUBECONFIG
+
+    #     kubectl get nodes
+    #     kubectl get pods -A
+    #     sleep 20
+
+    - name: Start k8s locally
+      uses: jupyterhub/action-k3s-helm@v1
       with:
-        version: ${{ matrix.k8s_version }}
+        k3s-version: ${{ matrix.k8s_version }}
+        helm-version: v3.4.2 # releases:  https://github.com/helm/helm/tags
 
-    - name: Check nodes on k3s
+    - name: Verify function of k8s, kubectl, and helm
       run: |
-        kubectl get nodes
+        echo "kubeconfig: $KUBECONFIG"
+        kubectl version
+        kubectl get pods --all-namespaces
+
+        helm version
+        helm list
 
     - name: Setup Flux CLI
       uses: fluxcd/flux2/action@main
@@ -134,11 +107,15 @@ jobs:
         flux create kustomization flux-system \
           --source=flux-system \
           --path=./clusters/k3s/cicd/
-        sleep 30
+        sleep 60
+        echo "### Flux ###"
         flux check
+        sleep 10
+        echo "### Kustomizations ###"
         flux get kustomizations
+        sleep 10
+        echo "### Helm Releases ###"
         flux get helmreleases -A
-        sleep 30
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         CURRENT_BRANCH: ${{ github.head_ref }}

diff --git a/.secrets/gcp/prod/age/age.agekey b/.secrets/gcp/prod/age/age.agekey
diff --git a/.secrets/gcp/prod/vector/values.yaml b/.secrets/gcp/prod/vector/values.yaml
diff --git a/Makefile b/Makefile
@@ -37,7 +37,7 @@ init: ## Initialize environment
 
 .PHONY: doc
 doc: ## Generate documentation
-	@echo -e "$(OK_COLOR)[$(APP)] Documentation$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Documentation$(NO_COLOR)" >&2
 	@. $(PYTHON_VENV)/bin/activate && mkdocs serve
 
 .PHONY: diagrams
@@ -59,34 +59,34 @@ validate: ## Execute git-hooks
 
 .PHONY: terraform-init
 terraform-init: guard-SERVICE guard-ENV ## Plan infrastructure (SERVICE=xxx ENV=xxx)
-	@echo -e "$(OK_COLOR)[$(APP)] Init infrastructure$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Init infrastructure$(NO_COLOR)" >&2
 	@cd $(SERVICE)/terraform \
 		&& terraform init -upgrade -reconfigure -backend-config=backend-vars/$(ENV).tfvars
 
 .PHONY: terraform-plan
 terraform-plan: guard-SERVICE guard-ENV ## Plan infrastructure (SERVICE=xxx ENV=xxx)
-	@echo -e "$(OK_COLOR)[$(APP)] Plan infrastructure$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Plan infrastructure$(NO_COLOR)" >&2
 	@cd $(SERVICE)/terraform \
 		&& terraform init -upgrade -reconfigure -backend-config=backend-vars/$(ENV).tfvars \
 		&& terraform plan -var-file=tfvars/$(ENV).tfvars
 
 .PHONY: terraform-apply
 terraform-apply: guard-SERVICE guard-ENV ## Builds or changes infrastructure (SERVICE=xxx ENV=xxx)
-	@echo -e "$(OK_COLOR)[$(APP)] Apply infrastructure$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Apply infrastructure$(NO_COLOR)" >&2
 	@cd $(SERVICE)/terraform \
 		&& terraform init -upgrade -reconfigure -backend-config=backend-vars/$(ENV).tfvars \
 		&& terraform apply -var-file=tfvars/$(ENV).tfvars
 
 .PHONY: terraform-destroy
 terraform-destroy: guard-SERVICE guard-ENV ## Builds or changes infrastructure (SERVICE=xxx ENV=xxx)
-	@echo -e "$(OK_COLOR)[$(APP)] Apply infrastructure$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Apply infrastructure$(NO_COLOR)" >&2
 	@cd $(SERVICE)/terraform \
 		&& terraform init -upgrade -reconfigure -backend-config=backend-vars/$(ENV).tfvars \
 		&& terraform destroy -lock-timeout=60s -var-file=tfvars/$(ENV).tfvars
 
 .PHONY: terraform-tflint
 terraform-tflint: guard-SERVICE ## Lint Terraform files
-	@echo -e "$(OK_COLOR)[$(APP)] Lint Terraform code$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Lint Terraform code$(NO_COLOR)" >&2
 	@cd $(SERVICE)/terraform \
 		&& tflint \
 		--enable-rule=terraform_deprecated_interpolation \
@@ -104,13 +104,13 @@ terraform-tflint: guard-SERVICE ## Lint Terraform files
 
 .PHONY: terraform-tfsec
 terraform-tfsec: guard-SERVICE ## Scan Terraform files
-	@echo -e "$(OK_COLOR)[$(APP)] Lint Terraform code$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Lint Terraform code$(NO_COLOR)" >&2
 	@cd $(SERVICE)/terraform \
 		&& tfsec \
 
 .PHONY: terraform-docs
 terraform-docs: guard-SERVICE ## Generate documentation
-	@echo -e "$(OK_COLOR)[$(APP)] Lint Terraform code$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Lint Terraform code$(NO_COLOR)" >&2
 	@cd $(SERVICE)/terraform \
 		&& terraform-docs markdown . > README.md
 
@@ -135,10 +135,6 @@ kubernetes-switch: guard-ENV ## Switch Kubernetes context (ENV=xxx)
 kubernetes-secret: guard-NAMESPACE guard-NAME guard-FILE ## Generate a Kubernetes secret file (NAME=xxxx NAMESPACE=xxxx FILE=xxxx)
 	@kubectl create secret generic $(NAME) -n $(NAMESPACE) --dry-run=client --from-file=$(FILE) -o yaml
 
-.PHONY: kubernetes-sealed-secret
-kubernetes-sealed-secret: guard-FILE ## Sealed secret
-	kubeseal --format=yaml --cert=$(CERT) < $(FILE) > $$(dirname $(FILE))/$$(basename -s .yaml $(FILE))-sealed.yaml
-
 .PHONY: kubernetes-credentials
 kubernetes-credentials: guard-ENV guard-CLOUD ## Generate credentials (CLOUD=xxxx ENV=xxx)
 	make -f hack/$(CLOUD).mk $(CLOUD)-kube-credentials ENV=$(ENV)
@@ -179,31 +175,43 @@ kubernetes-credentials: guard-ENV guard-CLOUD ## Generate credentials (CLOUD=xxx
 # 		-f $(SERVICE)/terraform/tfvars/values.yaml \
 # 		-f $(SERVICE)/terraform/tfvars/$(ENV)-values.yaml | conftest test -p $(POLICY) --all-namespaces -
 
+.PHONY: helm-flux-chart
+helm-flux-chart: guard-CHART ## Display Helm chart informations (CHART=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Helm repository and chart $(CHART)$(NO_COLOR)" >&2
+	@DEBUG=true . hack/scripts/chart.sh $(CHART)
+
 .PHONY: helm-flux-repo
-helm-flux-repo: guard-CHART ## Configure Helm repository and chart
-	@echo -e "$(OK_COLOR)[$(APP)] Helm repository and chart $(CHART)$(NO_COLOR)"
+helm-flux-repo: guard-CHART ## Configure Helm repository and chart (CHART=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Helm repository and chart $(CHART)$(NO_COLOR)" >&2
 	@DEBUG=$(DEBUG) . hack/scripts/chart.sh $(CHART) \
 		&& helm repo add $${CHART_REPO_NAME} $${CHART_REPO_URL} --force-update \
 		&& helm repo update
 
 .PHONY: helm-flux-values
-helm-flux-values: guard-CHART guard-ENV ## Display Helm values
-	@echo -e "$(OK_COLOR)[$(APP)] Helm show values $(CHART):$(ENV)$(NO_COLOR)"
+helm-flux-values: guard-CHART ## Display Helm values (CHART=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Helm show values $(CHART)$(NO_COLOR)" >&2
 	@DEBUG=$(DEBUG) . hack/scripts/chart.sh $(CHART) \
 		&& helm show values $${CHART_REPO_NAME}/$${CHART_NAME} --version $${CHART_VERSION}
 
+.PHONY: helm-flux-custom
+helm-flux-show: guard-CHART guard-CLOUD guard-ENV ## Show Helm chart values set for Flux (CHART=xxx CLOUD=xxx ENV=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Build Helm chart ${CHART}:${ENV}$(NO_COLOR)" >&2
+	@DEBUG=$(DEBUG) . hack/scripts/chart.sh $(CHART) \
+		&& export TMPFILE=$$(./hack/scripts/flux-helm.sh "$(CHART)" "$(CLOUD)/$(ENV)") \
+		&& cat $${TMPFILE}
+
 .PHONY: helm-flux-template
-helm-flux-template: guard-CHART guard-ENV ## Install Helm chart (CHART=xxx ENV=xxx)
-	@echo -e "$(OK_COLOR)[$(APP)] Build Helm chart ${CHART}:${ENV}$(NO_COLOR)"
+helm-flux-template: guard-CHART guard-CLOUD guard-ENV ## Install Helm chart (CHART=xxx CLOUD=xxx ENV=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Build Helm chart ${CHART}:${ENV}$(NO_COLOR)" >&2
 	@DEBUG=$(DEBUG) . hack/scripts/chart.sh $(CHART) \
-		&& export TMPFILE=$$(./hack/scripts/flux-helm.sh $(CHART) $(ENV)) \
+		&& export TMPFILE=$$(./hack/scripts/flux-helm.sh "$(CHART)" "$(CLOUD)/$(ENV)") \
 		&& helm template --debug $${CHART_NAME} $${CHART_REPO_NAME}/$${CHART_NAME} --namespace $${CHART_NAMESPACE} -f $${TMPFILE}
 
 .PHONY: helm-flux-install
-helm-flux-install: guard-CHART guard-ENV ## Install Helm chart (CHART=xxx ENV=xxx)
-	@echo -e "$(OK_COLOR)[$(APP)] Install Helm chart ${CHART}:${ENV}$(NO_COLOR)"
+helm-flux-install: guard-CHART guard-CLOUD guard-ENV ## Install Helm chart (CHART=xxx CLOUD=xxx ENV=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Install Helm chart ${CHART}:${ENV}$(NO_COLOR)" >&2
 	@DEBUG=$(DEBUG) . hack/scripts/chart.sh $(CHART) \
-		&& export TMPFILE=$$(./hack/scripts/flux-helm.sh $(CHART) $(ENV)) \
+		&& export TMPFILE=$$(./hack/scripts/flux-helm.sh "$(CHART)" "$(CLOUD)/$(ENV)") \
 		&& echo helm install $${CHART_NAME} $${CHART_REPO_NAME}/$${CHART_NAME} --namespace $${CHART_NAMESPACE} -f $${TMPFILE}
 
 
@@ -215,7 +223,7 @@ helm-flux-install: guard-CHART guard-ENV ## Install Helm chart (CHART=xxx ENV=xx
 
 .PHONY: opa-deps
 opa-deps: ## Setup OPA dependencies
-	@echo -e "$(OK_COLOR)[$(APP)] Install OPA policies $(POLICY)$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)[$(APP)] Install OPA policies $(POLICY)$(NO_COLOR)" >&2
 	@conftest pull --policy addons/policies/deprek8ion github.com/swade1987/deprek8ion//policies
 	@conftest pull --policy addons/policies/portefaix github.com/portefaix/portefaix-policies?ref=v0.3.0//policy
 
@@ -224,10 +232,10 @@ opa-test: ## Test policies
 	@opa test addons/policies/core
 
 .PHONY: opa-policy
-opa-policy-base: guard-CHART guard-ENV guard-POLICY ## Check OPA policies for a Helm chart (CHART=xxx ENV=xxx POLICY=xxx)
-	@echo -e "$(OK_COLOR)[$(APP)] Open Policy Agent check policies $(CHART):$(ENV)$(NO_COLOR)"
+opa-policy-base: guard-CHART guard-ENV guard-POLICY ## Check OPA policies for a Helm chart (CHART=xxx CLOUD=xxx ENV=xxx POLICY=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Open Policy Agent check policies $(CHART):$(ENV)$(NO_COLOR)" >&2
 	@DEBUG=$(DEBUG) . hack/scripts/chart.sh $(CHART) \
-		&& export TMPFILE=$$(./hack/scripts/flux-helm.sh $(CHART) $(ENV)) \
+		&& export TMPFILE=$$(./hack/scripts/flux-helm.sh "$(CHART)" "$(CLOUD)/$(ENV)") \
 		&& helm template $${CHART_NAME} $${CHART_REPO_NAME}/$${CHART_NAME} --namespace $${CHART_NAMESPACE} -f $${TMPFILE} | conftest test --all-namespaces -p $(POLICY) -
 
 
@@ -239,64 +247,65 @@ opa-policy-base: guard-CHART guard-ENV guard-POLICY ## Check OPA policies for a
 
 .PHONY: inspec-deps
 inspec-deps: ## Install requirements
-	@echo -e "$(OK_COLOR)Install requirements$(NO_COLOR)"
+	@echo -e "$(OK_COLOR)Install requirements$(NO_COLOR)" >&2
 	@bundle config set path vendor/bundle --local \
 		&& bundle install
 
 
 # ====================================
-# P G P
+# S O P S
 # ====================================
 
-##@ PGP
+##@ Sops
+
+.PHONY: sops-age-key
+sops-age-key: guard-CLOUD guard-ENV ## Create an Age key (CLOUD=xxx ENV=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Create an Age key $(NO_COLOR)" >&2
+	@mkdir -p .secrets/$(CLOUD)/$(ENV)/age/ \
+		&& age-keygen -o .secrets/$(CLOUD)/$(ENV)/age/age.agekey
 
-.PHONY: pgp-list
-pgp-list: guard-CLOUD guard-ENV ## List PGP keys
-	@echo -e "$(OK_COLOR)[$(APP)] List PGP keys$(NO_COLOR)"
-	@
+.PHONY: sops-age-secret
+sops-age-secret: guard-CLOUD guard-ENV ## Create the Kubernetes secret using an AGE key (CLOUD=xxx ENV=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Create Kubernetes secret for AGE key $(NO_COLOR)" >&2
+	@kubectl create secret generic sops-age \
+		--namespace=flux-system \
+		--from-file=age.agekey=.secrets/$(CLOUD)/$(ENV)/age/age.agekey
 
-.PHONY: pgp-create
-pgp-create: guard-CLOUD guard-ENV ## Create a PGP key
-	@echo -e "$(OK_COLOR)[$(APP)] Create a PGP key $(NO_COLOR)"
+.PHONY: sops-pgp-key
+sops-pgp-key: guard-CLOUD guard-ENV ## Create a PGP key (CLOUD=xxx ENV=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Create a PGP key $(NO_COLOR)" >&2
 	@./hack/scripts/gpg.sh $(CLOUD) $(ENV)
 
-.PHONY: pgp-secret
-pgp-secret: guard-CLOUD guard-ENV ## Create the Kubernetes secret using PGP key
-	@echo -e "$(OK_COLOR)[$(APP)] Create Kubernetes secret for PGP key $(NO_COLOR)"
+.PHONY: sops-pgp-secret
+sops-pgp-secret: guard-CLOUD guard-ENV ## Create the Kubernetes secret using a PGP key (CLOUD=xxx ENV=xxx)
+	@echo -e "$(OK_COLOR)[$(APP)] Create Kubernetes secret for PGP key $(NO_COLOR)" >&2
 	@kubectl create secret generic sops-gpg \
 		--namespace=flux-system \
 		--from-file=sops.asc=.secrets/$(CLOUD)/$(ENV)/gpg/sops.asc
 
-# ====================================
-# S O P S
-# ====================================
-
-##@ Sops
-
 .PHONY: sops-encrypt
-sops-encrypt: guard-ENV guard-CLOUD guard-FILE ## Encrypt a Kubernetes secret file (CLOUD=xxx ENV=xxx FILE=xxx)
+sops-encrypt: guard-CLOUD guard-ENV guard-FILE ## Encrypt a Kubernetes secret file (CLOUD=xxx ENV=xxx FILE=xxx)
 	@sops --encrypt --encrypted-regex '^(data|stringData)' --in-place --$(SOPS_PROVIDER) $(SOPS_KEY) $(FILE)
 
 .PHONY: sops-encrypt-raw
-sops-encrypt-raw: guard-ENV guard-CLOUD guard-FILE ## Encrypt raw file (CLOUD=xxx ENV=xxx FILE=xxx)
+sops-encrypt-raw: guard-CLOUD guard-ENV guard-FILE ## Encrypt raw file (CLOUD=xxx ENV=xxx FILE=xxx)
 	@sops --encrypt --$(SOPS_PROVIDER) $(SOPS_KEY) $(FILE)
 
 .PHONY: sops-decrypt
-sops-decrypt: guard-FILE ## Decrypt
-	@sops --decrypt $(FILE)
-
+sops-decrypt: guard-CLOUD guard-ENV guard-FILE ## Decrypt (CLOUD=xxx ENV=xxx FILE=xxx)
+	@SOPS_AGE_KEY_FILE=.secrets/$(CLOUD)/$(ENV)/age/age.agekey sops --decrypt $(FILE)
 
 # ====================================
 # G I T O P S
 # ====================================
 
 ##@ Gitops
 
-.PHONY: gitops-bootstrap
+.PHONY: gitops-bootstrap (CLOUD=xxx ENV=xxx BRANCH=xxx)
 gitops-bootstrap: guard-ENV guard-CLOUD guard-BRANCH kubernetes-check-context ## Bootstrap Flux v2
 	./hack/scripts/bootstrap.sh clusters/$(CLOUD)/$(ENV) $(BRANCH)
 
 .PHONY: release-prepare
-release-prepare: guard-VERSION ## Update release label
+release-prepare: guard-VERSION ## Update release label (VERSION=xxx)
 	./hack/scripts/portefaix-labels.sh kubernetes $(VERSION)
 	./hack/scripts/validate.sh clusters kubernetes