Info about the fork
Fork with support SOPS option encrypted_regex instead encrypted_suffix
It gives possibility to use Helm variables in spec.secretTemplates.name
Original issue: https://github.com/isindir/sops-secrets-operator/issues/27 was closed (won't fix)
I have no good knowledge of writing CRD, so it just a hot replacement without creating PR.Operator which manages Kubernetes Secret Resources created from user defined SopsSecrets
CRs, inspired by Bitnami SealedSecrets and
sops. SopsSecret CR defines multiple
kubernetes Secret resources. It supports managing kubernetes Secrets with
annotations and labels, that allows using these kubernetes secrets as Jenkins Credentials.
The SopsSecret resources can be deployed by Weaveworks Flux GitOps CD and
encrypted using sops for AWS, GCP, Azure or
on-prem hosted kubernetes clusters. Using sops greatly simplifies changing
encrypted files stored in git repository.
- sops - 3.6.1
- kubebuilder - 2.3.1
- kustomize - 3.8.3
- golang - 1.14.9
- helm - 3.+
Add helm repository for chart installation:
helm repo add sops https://isindir.github.io/sops-secrets-operator/- Create KMS key
- Create AWS Role which can be used by operator to decrypt CR data structure, follow sops documentation
- Deploy CRD:
kubectl apply -f config/crd/bases/isindir.github.com_sopssecrets.yamlNOTE: to grant access to aws for
sops-secret-operator- kiam, kube2iam or IAM roles for service accounts can be used.
- Deploy helm chart:
kubectl create namespace sops
helm upgrade --install sops chart/helm3/sops-secrets-operator/ \
--namespace sopsFor instructions on howto configure PGP keys for operator, see Preparing GPG keys
Then install operator:
kubectl create namespace sops
kubectl apply -f docs/gpg/1.yaml --namespace sops
kubectl apply -f docs/gpg/2.yaml --namespace sops
kubectl apply -f config/crd/bases/isindir.github.com_sopssecrets.yaml
helm upgrade --install sops chart/helm3/sops-secrets-operator/ \
--namespace sops --set gpg.enabled=true- Create a KeyVault if you don't have one already
- Create a Key in that KeyVault
- Create Service principal with permissions to use the key for Encryption/Decryption
- follow the SOPS documentation
- Either put Tenant ID, Client ID and Client Secret for the Service Principal in your custom values.yaml file or create a Kubernetes Secret with the same information and put the name of that secret in your values.yaml. Enable Azure in the Helm Chart by setting
azure.enabled: truein values.yaml.
cat <<EOF > azure_values.yaml
azure:
enabled: true
tenantId: 6ec4c881-32ee-4340-a456-d6ca65a42193
clientId: 9c325550-b264-4aee-ab6f-719771adda28
clientSecret: 'YOUR_CLIENT_SECRET'
EOF
kubectl create namespace sops
helm upgrade --install sops chart/helm3/sops-secrets-operator/ \
--namespace sops -f azure_values.yamlcat <<EOF > azure_secret.yaml
kind: Secret
apiVersion: v1
metadata:
name: azure-sp-credentials
type: Opaque
stringData:
clientId: 9c325550-b264-4aee-ab6f-719771adda28
tenantId: 6ec4c881-32ee-4340-a456-d6ca65a42193
clientSecret: 'YOUR_CLIENT_SECRET'
EOF
cat <<EOF > azure_values.yaml
azure:
enabled: true
existingSecret: azure-sp-credentials
EOF
kubectl create namespace sops
kubectl apply -n sops -f azure_secret.yaml
helm upgrade --install sops chart/helm3/sops-secrets-operator/ \
--namespace sops -f azure_values.yaml- create SopsSecret file, for example:
cat >jenkins-secrets.yaml <<EOF
apiVersion: isindir.github.com/v1alpha2
kind: SopsSecret
metadata:
name: example-sopssecret
spec:
secretTemplates:
- name: jenkins-secret
labels:
"jenkins.io/credentials-type": "usernamePassword"
annotations:
"jenkins.io/credentials-description" : "credentials from Kubernetes"
data:
username: myUsername
password: 'Pa$$word'
- name: some-token
data:
token: Wb4ziZdELkdUf6m6KtNd7iRjjQRvSeJno5meH4NAGHFmpqJyEsekZ2WjX232s4Gj
- name: docker-login
type: 'kubernetes.io/dockerconfigjson'
data:
.dockerconfigjson: '{"auths":{"index.docker.io":{"username":"imyuser","password":"mypass","email":"myuser@abc.com","auth":"aW15dXNlcjpteXBhc3M="}}}'
EOF- Encrypt file using
sopsand AWS kms key:
sops --encrypt \
--kms 'arn:aws:kms:<region>:<account>:alias/<key-alias-name>' \
--encrypted-regex='^data' jenkins-secrets.yaml \
> jenkins-secrets.enc.yaml- Encrypt file using
sopsand GCP KMS key:
sops --encrypt \
--gcp-kms 'projects/<project-name>/locations/<location>/keyRings/<keyring-name>/cryptoKeys/<key-name>' \
--encrypted-regex='^data' jenkins-secrets.yaml \
> jenkins-secrets.enc.yaml- Encrypt file using
sopsand Azure Keyvault key:
sops --encrypt \
--azure-kv 'https://<vault-url>/keys/<key-name>/<key-version>' \
--encrypted-regex='^data' jenkins-secrets.yaml \
> jenkins-secrets.enc.yaml- Encrypt file using
sopsand PGP key:
sops --encrypt \
--pgp '<pgp-finger-print>' \
--encrypted-regex='^data' jenkins-secrets.yaml \
> jenkins-secrets.enc.yamlNote: Multiple keys can be used to encrypt secrets. At the time of decryption access to one of these is needed. For more information see
sopsdocumentation.
Mozilla Public License Version 2.0
sops-secrets-operatoris not strictly following Kubernetes OpenAPI naming conventions. This is due to the fact thatsopsgenerates substructures in encrypted file with incompatible to OpenAPI names (containing underscore symbols, where it should belowerCamelCasefor OpenAPI compatibility).sops-secrets-operatoris not using standardsopslibrary decryption interface function, modified upstream function is used to decrypt data which ignoresencsignature field insopsmetadata. This is due to the fact that when Kubernetes resource is applied it is always mutated by Kubernetes, for example resource version is generated and added to the resource. But any mutation invalidatessopsmetadataencfield and standard decryption function fails.
Projects and tools inspired development of sops-secrets-operator: