runme | ||||
---|---|---|---|---|
|
For This guide we are using the linux OS
Have a running Kubernetes Cluster:
export version
# For AMD64 / x86_64
[ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v$version/kind-linux-amd64
# Make the kind binary executable
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind
export version
# For ARM64
[ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v$version/kind-linux-arm64
# Make the kind binary executable
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind
Install Kubectl; the kubernetes command-line tool you need to interact with your kubernetes cluster.
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
echo "$(cat kubectl.sha256) kubectl" | shasum -a 256 --check
# Make the kubectl binary executable
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl
sudo chown root: /usr/local/bin/kubectl
# Check the version
kubectl version --client
# Remove the checksum file
rm kubectl.sha256
Download and install SOPS Binary
export version
curl -LO https://github.com/getsops/sops/releases/download/v$version/sops-v$version.linux.amd64
# Move the binary to your PATH
mv sops-v$version.linux.amd64 /usr/local/bin/sops
# Make the binary executable
chmod +x /usr/local/bin/sops
Install and configure your AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws configure
Configure SOPS with your key and preferred settings. In this example, we are using AWS KMS, learn how to create a KMS key
- Set your environment variable, using
export
feature - Create your
sops.yaml
file
export region
export accountid
export alias
echo "creation_rules:
- kms: arn:aws:kms:${region}:${accountid}:alias/${alias}" > ~/.sops1.yaml
# Verify the configuration
cat ~/.sops1.yaml
Encrypt your secrets using SOPS with AWS KMS.
- Set your variable
- Run your command:
export keyid
export region
export accountid
export alias
sops --encrypt --kms arn:aws:kms:${region}:${accountid}:key/${keyid} --encryption-context Role:runme-test --encrypted-regex password runme-secrets.yaml > runme-secrets-enc.yaml
Retrieve and decrypt your secrets when needed.
Here is how to check for you secret within the cluster:
kubectl get secret runme -n test -o jsonpath="{.data.password}" | base64 --decode
Here is how to decrypt your sops secret:
sops --decrypt --kms arn:aws:kms:${region}:${accountid}:key/${keyid} --encryption-context Role:runme-test --encrypted-regex password runme-secrets-enc.yaml > runme-secrets.yaml
Ensure to replace placeholders such as {region}, {account-id}, and {alias} with your actual AWS region, account ID, and alias. Customize the encryption and decryption commands based on your specific use case.
sops -d runme-secrets-enc.yaml | kubectl apply -f -