/sops-secrets-operator

Kubernetes SOPS secrets operator

Primary LanguageGoMozilla Public License 2.0MPL-2.0

Go Report Card CircleCI GitHub release Docker pulls MPL v2.0

SOPS: Secrets OPerationS - Kubernetes Operator

Operator which manages Kubernetes Secret Resources created from user defined SopsSecrets CRs, inspired by Bitnami SealedSecrets and sops. SopsSecret CR defines multiple kubernetes Secret resources. It supports managing kubernetes Secrets with annotations and labels, that allows using these kubernetes secrets as Jenkins Credentials. The SopsSecret resources can be deployed by Weaveworks Flux GitOps CD and encrypted using sops for AWS, GCP, Azure or on-prem hosted kubernetes clusters. Using sops greatly simplifies changing encrypted files stored in git repository.

Requirements for building operator from source code

  • sops - 3.6.0
  • kubebuilder - 2.3.1
  • kustomize - 3.8.1
  • golang - 1.14.4
  • helm - 3.+

Operator Installation

Helm repository

Add helm repository for chart installation:

helm repo add sops https://isindir.github.io/sops-secrets-operator/

AWS

  • Create KMS key
  • Create AWS Role which can be used by operator to decrypt CR data structure, follow sops documentation
  • Deploy CRD:
kubectl apply -f config/crd/bases/isindir.github.com_sopssecrets.yaml

NOTE: to grant access to aws for sops-secret-operator - kiam or kube2iam can be used.

  • Deploy helm chart:
kubectl create namespace sops

helm upgrade --install sops chart/helm3/sops-secrets-operator/ \
  --namespace sops

PGP

For instructions on howto configure PGP keys for operator, see Preparing GPG keys

Then install operator:

kubectl create namespace sops

kubectl apply -f docs/gpg/1.yaml --namespace sops
kubectl apply -f docs/gpg/2.yaml --namespace sops

kubectl apply -f config/crd/bases/isindir.github.com_sopssecrets.yaml

helm upgrade --install sops chart/helm3/sops-secrets-operator/ \
  --namespace sops --set gpg.enabled=true

SopsSecret Custom Resource File creation

  • create SopsSecret file, for example:
cat >jenkins-secrets.yaml <<EOF
apiVersion: isindir.github.com/v1alpha2
kind: SopsSecret
metadata:
  name: example-sopssecret
spec:
  secretTemplates:
    - name: jenkins-secret
      labels:
        "jenkins.io/credentials-type": "usernamePassword"
      annotations:
        "jenkins.io/credentials-description" : "credentials from Kubernetes"
      data:
        username: myUsername
        password: 'Pa$$word'
    - name: some-token
      data:
        token: Wb4ziZdELkdUf6m6KtNd7iRjjQRvSeJno5meH4NAGHFmpqJyEsekZ2WjX232s4Gj
    - name: docker-login
      type: 'kubernetes.io/dockerconfigjson'
      data:
        .dockerconfigjson: '{"auths":{"index.docker.io":{"username":"imyuser","password":"mypass","email":"myuser@abc.com","auth":"aW15dXNlcjpteXBhc3M="}}}'
EOF
  • Encrypt file using sops and AWS kms key:
sops --encrypt \
  --kms 'arn:aws:kms:<region>:<account>:alias/<key-alias-name>' \
  --encrypted-suffix='Templates' jenkins-secrets.yaml \
  > jenkins-secrets.enc.yaml
  • Encrypt file using sops and GCP KMS key:
sops --encrypt \
  --gcp-kms 'projects/<project-name>/locations/<location>/keyRings/<keyring-name>/cryptoKeys/<key-name>' \
  --encrypted-suffix='Templates' jenkins-secrets.yaml \
  > jenkins-secrets.enc.yaml
  • Encrypt file using sops and Azure Keyvault key:
sops --encrypt \
  --azure-kv 'https://<vault-url>/keys/<key-name>/<key-version>' \
  --encrypted-suffix='Templates' jenkins-secrets.yaml \
  > jenkins-secrets.enc.yaml
  • Encrypt file using sops and PGP key:
sops --encrypt \
  --pgp '<pgp-finger-print>' \
  --encrypted-suffix='Templates' jenkins-secrets.yaml \
  > jenkins-secrets.enc.yaml

Note: Multiple keys can be used to encrypt secrets. At the time of decryption access to one of these is needed. For more information see sops documentation.

License

Mozilla Public License Version 2.0

Known Issues

  • sops-secrets-operator is not strictly following Kubernetes OpenAPI naming conventions. This is due to the fact that sops generates substructures in encrypted file with incompatible to OpenAPI names (containing underscore symbols, where it should be lowerCamelCase for OpenAPI compatibility).
  • sops-secrets-operator is not using standard sops library decryption interface function, modified upstream function is used to decrypt data which ignores enc signature field in sops metadata. This is due to the fact that when Kubernetes resource is applied it is always mutated by Kubernetes, for example resource version is generated and added to the resource. But any mutation invalidates sops metadata enc field and standard decryption function fails.

Links

Projects and tools inspired development of sops-secrets-operator: