chore: docs for adding encrypted secrets with ksops and age

README.md

@@ -0,0 +1,76 @@
+# Using KSOPS and adding secrets
+
+## Keys
+
+The public key is stored in the repo as `./.sops.yaml`.
+The private keys are:
+
+- K8s cluster as a secret
+- MacOS - `$HOME/Library/Application Support/sops/age/keys.txt`
+
+## 1. Create the resource
+
+```
+cat <<EOF > secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mysecret
+type: Opaque
+data:
+  username: YWRtaW4=
+  password: MWYyZDFlMmU2N2Rm
+EOF
+```
+
+## 2. Encrypt the resource
+
+Note 1: the encryption key is included in the repo, but the decryption key is not
+
+Note 2: Delete the plaintext resource after encrypting it.
+
+```
+# Encrypt with SOPS CLI
+# Specify SOPS configuration in .sops.yaml
+sops -e secret.yaml > secret.enc.yaml
+```
+
+## 3. Create teh KSOPS kustomize generator
+
+```
+# Create a local Kubernetes Secret
+cat <<EOF > secret-generator.yaml
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  # Specify a name
+  name: example-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          # if the binary is in your PATH, you can do
+          path: ksops
+          # otherwise, path should be relative to manifest files, like
+          # path: ../../../ksops
+files:
+  - ./secret.enc.yaml
+EOF
+```
+
+## 4. Add to kustomization
+
+```
+generators:
+  - ./secret-generator.yaml
+```
+
+## 5. Build to test
+
+```
+kustomize build --enable_alpha_plugins path/to/kustomization.yaml
+```
+
+# References
+
+- https://getsops.io/docs/#encrypting-and-decrypting-from-other-programs
+- https://github.com/viaduct-ai/kustomize-sops