Skip to content
This is a *very* simple wrapper to allow use of [sops]( encoded secrets within [kustomize](
Go Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.vscode fix: add patch to workaround merge issue Jun 21, 2019
.gitignore fix: add Makefile to build sanely Jun 21, 2019
LICENSE-2.0 docs: add license for external release Apr 19, 2019
Makefile fix: pin to 0707deae95e0659246b4da0a29a72949ac24b7c2 Jul 29, 2019 feat: support importing all keys when array is empty Jun 27, 2019
SopsSecret.go Added code for unmarshalling of generator options Jul 26, 2019
kustomization.yaml chore: fix the test example Jul 2, 2019
kustomize-enable.patch fix: enable the plugins by default Jul 16, 2019
kustomize.patch fix: add patch to workaround merge issue Jun 21, 2019
secrets.enc.yaml fix: use root to qualify path Apr 19, 2019
secrets.yaml Initial commit Apr 19, 2019


This is a very simple wrapper to allow use of sops encoded secrets within kustomize.

It assumes that there exists a single secrets.enc.yaml file, and in it there is a 1-deep YAML representation of SECRET: VALUE.

Assume you had a raw secrets as secrets.yaml:

CAT: ferocious
DOG: tame

You would then encrypt it something like:

sops --encrypt --gcp-kms projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key secrets.yaml > secrets.enc.yaml

You would use a kustomization.yaml file as:

apiVersion: kustomize-sops/v1
kind: SopsSecret
name: my-secret
namespace: bar
source: secrets.enc.yaml
  name: not-used
  - CAT

If keys is empty (e.g. keys: []), then all keys are imported.

And then running kustomize build --enable_alpha_plugins . would yield:

apiVersion: v1
  CAT: ZmVyb2Npb3Vz
kind: Secret
  name: my-secret-hkbkhc8h2b
  namespace: bar
type: Opaque

You may wish to try: type: if using a docker config.

More information is in the blog post.

Install Pre-requisites

Build & Install plugin

This is a bit complex since Go plugins are unbelievably brittle, all packages in both sides must be identical. Effectively they must be built in the same tree at the same time.

You can run make, or, paste below.

export GO111MODULE=on
mkdir -p
git clone
#(cd; git checkout af67c893d87c)

mkdir -p ~/.config/kustomize/plugin/kustomize-sops/v1/sopssecret
ln -s $PWD/SopsSecret.go $PWD/
(cd; go build -buildmode plugin -o ~/.config/kustomize/plugin/kustomize-sops/v1/sopssecret/ plugin/SopsSecret.go)
(cd; go build  -o ~/bin/kustomize cmd/kustomize/main.go) 


kustomize build --enable_alpha_plugins .

Setup encrypted secrets

gcloud auth application-default login
gcloud kms keyrings create sops --location global
gcloud kms keys create sops-key --location global --keyring sops --purpose encryption
gcloud kms keys list --location global --keyring sops
# NAME                                                                      PURPOSE          LABELS  PRIMARY_ID  PRIMARY_STATE
# projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key  ENCRYPT_DECRYPT          1           ENABLED

sops --encrypt --gcp-kms projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key secrets.yaml > secrets.enc.yaml


The interface in kustomize for plugins is extremely brittle. They effectively don't work unless compiled at the same time as kustomize.

The patch... see

You can’t perform that action at this time.