# Using KSOPS and adding secrets

## Keys

The public key is stored in the repo as `./.sops.yaml`.
The private keys are:

- K8s cluster as a secret
- MacOS - `$HOME/Library/Application Support/sops/age/keys.txt`
- Linux - `$HOME/.config/sops/age/keys.txt`

## 1. Create the resource

```
cat <<EOF > secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
EOF
```

## 2. Encrypt the resource

Note 1: the encryption key is included in the repo, but the decryption key is not

Note 2: Delete the plaintext resource after encrypting it.

```
# Encrypt with SOPS CLI
# Specify SOPS configuration in .sops.yaml
sops -e secret.yaml > secret.enc.yaml
```

## 3. Create the KSOPS kustomize generator

```
# Create a local Kubernetes Secret
cat <<EOF > secret-generator.yaml
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  # Specify a name
  name: example-secret-generator
  annotations:
    config.kubernetes.io/function: |
        exec:
          # if the binary is in your PATH, you can do
          path: ksops
          # otherwise, path should be relative to manifest files, like
          # path: ../../../ksops
files:
  - ./secret.enc.yaml
EOF
```

## 4. Add to kustomization

```
generators:
  - ./secret-generator.yaml
```

## 5. Build to test

```
kustomize build --enable_alpha_plugins path/to/kustomization.yaml
```

# References

- https://getsops.io/docs/#encrypting-and-decrypting-from-other-programs
- https://github.com/viaduct-ai/kustomize-sops