[Sandbox] SOPS
hiddeco opened this issue · 35 comments
Application contact emails
mhoye@mozilla.com
hidde@weave.works
ablock@redhat.com
Project Summary
SOPS (Secrets OPerationS) is an editor in the form of a command-line tool and SDK designed to help manage encrypted files in a variety of structured (YAML, JSON, ENV, INI) and BINARY formats using a one of the supported Key Management Systems (KMS), PGP, or age.
Project Description
SOPS (Secrets OPerationS) is an editor in the form of a command-line tool and SDK designed to help manage sensitive content stored within structured files. Various formats, including YAML, JSON, ENV and binary, are supported and their content is managed by encrypting only the values portion of a key/value pair to maintain their readability as it lies at rest.
The encryption/decryption process is facilitated by one of the several popular KMS services including AWS, GCP, Azure Key Vault and HashiCorp Vault or more traditional methods, such as PGP or age.
SOPS features a robust set of capabilities to manage complex workflows including support for multiple operational environments and the ability to leverage multiple encryption backends deterministically. Beyond the basics, support is also available to perform key rotation to re-encrypt encrypted contents as well as auditing each activity that is performed to satisfy both day one and day two requirements.
Org repo URL
N/A
Project repo URL
https://github.com/mozilla/sops
Additional repos
https://github.com/mozilla/sotp
Website URL
https://github.com/mozilla/sops
Roadmap
N/A
Roadmap context
While contributions from the community continue to be submitted to the project, until a long term direction is determined, no active development will occur. Once those primary hurdles have been resolved, the short term roadmap focuses on producing a new release of the project, the first in over nine (9) months (v3.7.3 - May 2022).
Given the popularity of the project (12k stars and still growing), its future is bright. To support a evolving the project forward, long term goals could include:
Expanding the set of supported encryption providers
Providing more native support for the ecosystem seeking to integrate the project within their tooling. Several externally managed tools do exist which provide these integrations, but they are developed and maintained by individual contributors instead of being associated with either this project or for the target tool.
Contributing Guide
https://github.com/mozilla/sops/blob/master/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/mozilla/sops/blob/master/CODE_OF_CONDUCT.md
Adopters
No response
Contributing or Sponsoring Org
Maintainers file
N/A (beyond git-log)
IP Policy
- If the project is accepted, I agree the project will follow the CNCF IP Policy
Under review by Mozilla/CNCF legal but not expected to be blocking for further entry.
Trademark and accounts
- If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Under review by Mozilla/CNCF legal but not expected to be blocking for further entry.
Why CNCF?
The maintainers of the SOPS project have approached several maintainers and contributors of CNCF projects to take stewardship of this project, which has been agreed to in principle. This proposal represents a tangible first step towards this desired goal.
Aside from providing a home for the SOPS project, there currently is a void as it relates to tooling dedicated for the purpose of managing sensitive resources within the CNCF. There are a couple of other libraries of limited scope, but there is no major focus compared to other domains (eg) OpenTelemetry.
By SOPS becoming a CNCF sponsored project, it represents not only a need for this type of tooling, but the desire for additional dialog and the establishment of recommended practices when working with sensitive assets to be leveraged by the community to ultimately provide a more secure operating environment.
The big picture here is that all cloud native applications need better support, patterns, tools, apis. SOPS is just one set of patterns but could help create focus and momentum for more solutions and community work.
Benefit to the Landscape
Managing sensitive assets is a fundamental task when working with any cloud native technology so their values can be safely used in practice as well as stored at rest. By establishing SOPS as a CNCF project, it represents a clear indication that secrets management is an important concept and that practices must be established to not only provide approaches when working with sensitive resources, but for tooling to be available to facilitate the safe storage, retrieval and interoperability with existing systems.
Cloud Native 'Fit'
SOPS itself is not tied to a specific cloud native technology or project. However, it is not only applicable to help satisfy key security, compliance and auditing requirements, but integrations are available (see below) to support the usage within other cloud native solutions
In addition, by being available as a simple Command Line based utility with a limited number of dependencies and requirements, end users can begin protecting their sensitive assets in no time enabling a safer operating experience and promoting recommended security practices.
Cloud Native 'Integration'
Several cloud native technologies and associated projects have already included native support or are leveraging a third party integration to enable SOPS within their project.
The list of projects include:
- Flux (CNCF graduated) offers extensive native integration
- Argo CD (CNCF graduated) offers support through its plugin model which is enabled by several third party plugins
- Helm (CNCF graduated) offers support through its plugin model which is enabled by several third party plugins
- Automation tooling (Ansible / Terraform) through third party plugins
Cloud Native Overlap
No response
Similar projects
SOPS provides similar functionality as these other projects:
External Secrets Operator
Sealed Secrets
ESO has a complementary approach to SOPS and the projects could potentially help each other e.g. with shared libs for connectors to third party stores. (maybe under an umbrella org?)
Product or Service to Project separation
N/A
Project presentations
No response
Project champions
No response
Additional information
Proposed new maintainers:
- Andrew Block (@sabre1041), Red Hat
- Devin Buhl (@onedr0p), K8s@Home
- Devin Stein (@devstein), KSOPS
- Hidde Beydals (@hiddeco), Weaveworks