Skip to content
/ k8s-sops-helm Public

Guide of how to feed .env to k8s secret with sops and helm

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jjangga0214/k8s-sops-helm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
k8s
k8s
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

How to use k8s secret with sops and helm?

This example explains how to feed .env(dotenv) file to k8s secrets with helm and sops. But other formats(e.g. yaml, json, etc) can be used (Refer to sops docs for more detail).

There are k8s/staging.env and k8s/prod.env. Both of them are dotenv files, and encrypted by sops(using PGP). And there's a helm chart demo(k8s/demo).

(Though there are k8s/staging.decrypted.env and k8s/prod.decrypted.env for your convenience, they(raw secret) are not to be committed by version control in real situation)

When you want to deploy demo to production environment(e.g. cluster or namespace), for instance, you take 3 steps below.

Steps

  1. Decrypt secret(dotenv file) and make a temporary file.
sops -d k8s/prod.env > k8s/prod.decrypted.env
  1. Use --set-file option of helm. In this example, --set-file creates a helm value named dotenv, which is not specified in ./k8s/values/prod/demo.yaml.
helm upgrade --install \
  -f ./k8s/values/prod/demo.yaml \
  --set-file dotenv=./k8s/prod.decrypted.env \
  staging-demo ./k8s/demo \

k8s/demo/templates/secrets.yaml creates .env by .Values.dotenv, which is populated by --set-file.

data:
  .env: {{ .Values.dotenv | b64enc }}

k8s/demo/templates/deployment.yaml creates a volume from secret and mount .env to /secret/.env

volumeMounts:
  - mountPath: "/secrets/"

Therefore application can read environment variables from /secrets/.env.

  1. Remove temporarily decrypted secret file.
rm prod.decrypted.env

Quick Check

To see the rendered manifest files without actually applying to cluster, run with --dry-run.

helm upgrade --install \
  -f ./k8s/values/staging/demo.yaml \
  --set-file dotenv=./k8s/staging.decrypted.env \
  staging-demo ./k8s/demo \
  --dry-run

This will show base64-encoded .env. Of course, k8s will write decoded content to volume.

data:
  .env: SEVMTE89IndvcmxkIgpIST0idGhlcmUi

To decrypt for verification, you can run this.

echo "SEVMTE89IndvcmxkIgpIST0idGhlcmUi" | base64 -d

One liner

You can copy and paste this.

sops -d k8s/prod.env > prod.decrypted.env \
&& \
helm upgrade --install \
  -f ./k8s/values/prod/demo.yaml \
  --set-file dotenv=./k8s/prod.decrypted.env \
  production-demo ./k8s/demo \
&& \
rm prod.decrypted.env

helmfile

helmfile supports --set-file as well.

releases:
  - name: production-demo
    chart: k8s/demo
    values:
    - k8s/values/prod/demo.yaml
    set: # this is same as `--set-file dotenv=./k8s/prod.decrypted.env`
    - name: dotenv
      file: k8s/prod.decrypted.env

Credit

This repo is influenced by cloudnativedevops/demo/hello-sops, but modified configurations (e.g. --set-file and .Values instead of .Files.Get, for secret's independence from chart). There is an open discussion about this modified approach, cloudnativedevops/demo#21.

About

Guide of how to feed .env to k8s secret with sops and helm

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages