Skip to content

Agilicus/kustomize-sops

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
.vscode
.vscode
 
 
.gitignore
.gitignore
 
 
LICENSE-2.0
LICENSE-2.0
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
SopsConfigMap.go
SopsConfigMap.go
 
 
SopsSecret.go
SopsSecret.go
 
 
kustomization.yaml
kustomization.yaml
 
 
kustomize-enable.patch
kustomize-enable.patch
 
 
kustomize.patch
kustomize.patch
 
 
kustomize_secrets.yaml
kustomize_secrets.yaml
 
 
secrets.enc.yaml
secrets.enc.yaml
 
 
secrets.yaml
secrets.yaml
 
 

Repository files navigation

kustomize-sops

This is a very simple wrapper to allow use of sops encoded secrets within kustomize.

It assumes that there exists a single secrets.enc.yaml file, and in it there is a 1-deep YAML representation of SECRET: VALUE.

Assume you had a raw secrets as secrets.yaml:

CAT: ferocious
DOG: tame

You would then encrypt it something like:

sops --encrypt --gcp-kms projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key secrets.yaml > secrets.enc.yaml

You would use a kustomization.yaml file as:

---
apiVersion: kustomize-sops/v1
kind: SopsSecret
name: my-secret
namespace: bar
source: secrets.enc.yaml
metadata:
  name: not-used
keys:
  - CAT

If keys is empty (e.g. keys: []), then all keys are imported.

And then running kustomize build --enable_alpha_plugins . would yield:

apiVersion: v1
data:
  CAT: ZmVyb2Npb3Vz
kind: Secret
metadata:
  name: my-secret-hkbkhc8h2b
  namespace: bar
type: Opaque

You may wish to try: type: kubernetes.io/dockerconfigjson if using a docker config.

More information is in the blog post.

Install Pre-requisites

Build & Install plugin

This is a bit complex since Go plugins are unbelievably brittle, all packages in both sides must be identical. Effectively they must be built in the same tree at the same time.

To build, run make. Note: the result is both kustomize and the plugin, you must use the kustomize that this builds.

It will output two files:

~/bin/kustomize
~/.config/kustomize/plugin/kustomize-sops/v1/sopssecret/SopsSecret.so

If you have ~/bin on your path, it should work from here.

I have build this with

$ go version
go version go1.13.7 linux/amd64

I am not sure how sensitive it is to changes.

Test/Run

kustomize build --enable_alpha_plugins .

Setup encrypted secrets

gcloud auth application-default login
gcloud kms keyrings create sops --location global
gcloud kms keys create sops-key --location global --keyring sops --purpose encryption
gcloud kms keys list --location global --keyring sops
# NAME                                                                      PURPOSE          LABELS  PRIMARY_ID  PRIMARY_STATE
# projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key  ENCRYPT_DECRYPT          1           ENABLED

sops --encrypt --gcp-kms projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key secrets.yaml > secrets.enc.yaml

Notes

The interface in kustomize for plugins is extremely brittle. They effectively don't work unless compiled at the same time as kustomize.

See kustomize-plugins for exec-based plugins that achieve the same purpose as above, but are not as brittle.

The patch... see kubernetes-sigs/kustomize#1075 (comment)

About

This is a *very* simple wrapper to allow use of [sops](https://github.com/mozilla/sops) encoded secrets within [kustomize](https://github.com/kubernetes-sigs/kustomize).

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

74 stars

Watchers

7 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages