
This is a *very* simple wrapper to allow use of [sops](https://github.com/mozilla/sops) encoded secrets within [kustomize](https://github.com/kubernetes-sigs/kustomize).

Primary LanguageGoApache License 2.0Apache-2.0


This is a very simple wrapper to allow use of sops encoded secrets within kustomize.

It assumes that there exists a single secrets.enc.yaml file, and in it there is a 1-deep YAML representation of SECRET: VALUE.

Assume you had a raw secrets as secrets.yaml:

CAT: ferocious
DOG: tame

You would then encrypt it something like:

sops --encrypt --gcp-kms projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key secrets.yaml > secrets.enc.yaml

You would use a kustomization.yaml file as:

- name: mysecrets
  - name: kustomize-sops
    pluginType: go
    - CAT
    - DOG

And then running kustomize --enable_alpha_goplugins_accept_panic_risk build . would yield:

apiVersion: v1
  CAT: ZmVyb2Npb3Vz
  DOG: dGFtZQ==
kind: Secret
  name: mysecrets-4g7fk45c8c
type: Opaque

More information is in the blog post.

Install Pre-requisites

go get -u github.com/kubernetes-sigs/kustomize
go get -u go.mozilla.org/sops/cmd/sops

Build & Install plugin

mkdir -p ~/.config/kustomize/plugin/kvSources
go build -buildmode plugin -o ~/.config/kustomize/plugin/kvSources/kustomize-sops.so kustomize-sops.go


kustomize --enable_alpha_goplugins_accept_panic_risk build .

Setup encrypted secrets

gcloud auth application-default login
gcloud kms keyrings create sops --location global
gcloud kms keys create sops-key --location global --keyring sops --purpose encryption
gcloud kms keys list --location global --keyring sops
# NAME                                                                      PURPOSE          LABELS  PRIMARY_ID  PRIMARY_STATE
# projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key  ENCRYPT_DECRYPT          1           ENABLED

sops --encrypt --gcp-kms projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key secrets.yaml > secrets.enc.yaml