Using KSOPS and adding secrets

Keys

The public key is stored in the repo as ./.sops.yaml. The private keys are:

• K8s cluster as a secret
• MacOS - $HOME/Library/Application Support/sops/age/keys.txt

1. Create the resource

cat <<EOF > secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
EOF

2. Encrypt the resource

Note 1: the encryption key is included in the repo, but the decryption key is not

Note 2: Delete the plaintext resource after encrypting it.

# Encrypt with SOPS CLI
# Specify SOPS configuration in .sops.yaml
sops -e secret.yaml > secret.enc.yaml

3. Create teh KSOPS kustomize generator

# Create a local Kubernetes Secret
cat <<EOF > secret-generator.yaml
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  # Specify a name
  name: example-secret-generator
  annotations:
    config.kubernetes.io/function: |
        exec:
          # if the binary is in your PATH, you can do
          path: ksops
          # otherwise, path should be relative to manifest files, like
          # path: ../../../ksops
files:
  - ./secret.enc.yaml
EOF

4. Add to kustomization

generators:
  - ./secret-generator.yaml

5. Build to test

kustomize build --enable_alpha_plugins path/to/kustomization.yaml

References

• https://getsops.io/docs/#encrypting-and-decrypting-from-other-programs
• https://github.com/viaduct-ai/kustomize-sops