77 lines
1.5 KiB
Markdown
77 lines
1.5 KiB
Markdown
# Using KSOPS and adding secrets
|
|
|
|
## Keys
|
|
|
|
The public key is stored in the repo as `./.sops.yaml`.
|
|
The private keys are:
|
|
|
|
- K8s cluster as a secret
|
|
- MacOS - `$HOME/Library/Application Support/sops/age/keys.txt`
|
|
- Linux - `$HOME/.config/sops/age/keys.txt`
|
|
|
|
## 1. Create the resource
|
|
|
|
```
|
|
cat <<EOF > secret.yaml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: mysecret
|
|
type: Opaque
|
|
data:
|
|
username: YWRtaW4=
|
|
password: MWYyZDFlMmU2N2Rm
|
|
EOF
|
|
```
|
|
|
|
## 2. Encrypt the resource
|
|
|
|
Note 1: the encryption key is included in the repo, but the decryption key is not
|
|
|
|
Note 2: Delete the plaintext resource after encrypting it.
|
|
|
|
```
|
|
# Encrypt with SOPS CLI
|
|
# Specify SOPS configuration in .sops.yaml
|
|
sops -e secret.yaml > secret.enc.yaml
|
|
```
|
|
|
|
## 3. Create the KSOPS kustomize generator
|
|
|
|
```
|
|
# Create a local Kubernetes Secret
|
|
cat <<EOF > secret-generator.yaml
|
|
apiVersion: viaduct.ai/v1
|
|
kind: ksops
|
|
metadata:
|
|
# Specify a name
|
|
name: example-secret-generator
|
|
annotations:
|
|
config.kubernetes.io/function: |
|
|
exec:
|
|
# if the binary is in your PATH, you can do
|
|
path: ksops
|
|
# otherwise, path should be relative to manifest files, like
|
|
# path: ../../../ksops
|
|
files:
|
|
- ./secret.enc.yaml
|
|
EOF
|
|
```
|
|
|
|
## 4. Add to kustomization
|
|
|
|
```
|
|
generators:
|
|
- ./secret-generator.yaml
|
|
```
|
|
|
|
## 5. Build to test
|
|
|
|
```
|
|
kustomize build --enable_alpha_plugins path/to/kustomization.yaml
|
|
```
|
|
|
|
# References
|
|
|
|
- https://getsops.io/docs/#encrypting-and-decrypting-from-other-programs
|
|
- https://github.com/viaduct-ai/kustomize-sops
|