From 6de380e16652677be1f417952d4d088c222456e3 Mon Sep 17 00:00:00 2001
From: Ricardo Rocha <rocha.porto@gmail.com>
Date: Tue, 21 Jan 2020 10:07:56 +0100
Subject: [PATCH] Improve documentation regarding secret handling

---
 README.md | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index e635e01..e718089 100644
--- a/README.md
+++ b/README.md
@@ -51,25 +51,41 @@ The structure of this repo is as follows:
 
 ## Secrets
 
-We recommend using the [helm secrets](https://gitlab.cern.ch/helm/plugins/barbican)
-plugin to encrypt the files under the *secrets* directory.
+This does not about handling Kubernetes Secret resources, that's handled by the
+different helm charts. This is a solution to handle sensitive information
+stored in the helm yaml files (that often populates the Kubernetes Secrets).
 
-As Flux does not understand this encryption method, we need to create these
-secrets in advance, following something like:
+The sensitive yaml content should be stored in a separate Secret object to be
+created explicitly, previously to deploying Flux. We recommend using the
+[barbican secrets](https://gitlab.cern.ch/helm/plugins/barbican) plugin to encrypt
+the files under the *secrets* directory.
+
+You'll need to source the project that should hold the encryption key.
+```bash
+export OS_TOKEN=$(openstack token issue -c id -f value)
+```
+
+And then edit and create the resources:
 ```bash
-kubectl create namespace prod
-kubectl create namespace stg
+kubectl create -f namespaces/prod.yaml
+kubectl create -f namespaces/stg.yaml
+
+helm secrets edit secrets/prod/secrets.yaml
+helm secrets edit secrets/stg/secrets.yaml
 
-kubectl create -f secrets/prod/secrets.yaml
-kubectl create -f secrets/stg/secrets.yaml
+kubectl secrets apply -f secrets/prod/secrets.yaml
+kubectl secrets apply -f secrets/stg/secrets.yaml
 ```
 
 Remember that these resources are not managed by Flux. If you need to update
 any part of the sensitive values yaml data, you need to update them manually
 by doing:
 ```
-kubectl apply -f secrets/prod/secrets.yaml
-kubectl apply -f secrets/stg/secrets.yaml
+helm secrets edit secrets/prod/secrets.yaml
+helm secrets edit secrets/stg/secrets.yaml
+
+kubectl secrets apply -f secrets/prod/secrets.yaml
+kubectl secrets apply -f secrets/stg/secrets.yaml
 ```
 
 In the near future there will be better integration of this way of handling
-- 
GitLab