# Using KSOPS and adding secrets

https://github.com/viaduct-ai/kustomize-sops

## 1. Create the resource

```
cat <<EOF > secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
EOF
```

## 2. Encrypt the resource

Note 1: the encryption key is included in the repo, but the decryption key is not

Note 2: Delete the plaintext resource after encrypting it.

```
# Encrypt with SOPS CLI
# Specify SOPS configuration in .sops.yaml
sops -e secret.yaml > secret.enc.yaml
```

## 3. Create teh KSOPS kustomize generator

```
# Create a local Kubernetes Secret
cat <<EOF > secret-generator.yaml
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  # Specify a name
  name: example-secret-generator
  annotations:
    config.kubernetes.io/function: |
        exec:
          # if the binary is in your PATH, you can do
          path: ksops
          # otherwise, path should be relative to manifest files, like
          # path: ../../../ksops
files:
  - ./secret.enc.yaml
EOF
```

## 4. Add to kustomization

```
generators:
  - ./secret-generator.yaml
```

## 5. Build to test

```
kustomize build --enable_alpha_plugins path/to/kustomization.yaml
```