Implement SOPS to manage securely storing secrets in source control
xunholy opened this issue · 4 comments
Details
Currently, git-crypt is being used within the repository and works nicely, however, there is no visibility into the secret structure of the resource so users who fork the repo don't know what key pair values are required in these secret objects without having to inspect each sealed secret respectively.
SOPs provides encryption similar to git-crypt whilst allowing the structure to be viewable and providing a DIFF in the pull request process.
Issue-Label Bot is automatically applying the label feature_request to this issue, with a confidence of 0.90. Please mark this comment with 👍 or 👎 to give our bot feedback!
Links: app homepage, dashboard and code for this bot.
During testing decided to use GCP KMS https://github.com/mozilla/sops#22encrypting-using-gcp-kms
Overall I'm quite happy with SOPS and it could be a nice replacement for git-crypt, although it feels like just an extra layer of redundancy as sealed-secrets also provides the secret structure, although the caveat is it cannot be decrypted external to the cluster (it can be but is discouraged).
If SOPS were to be a replacement to git-crypt it would also require a nice wrapper script to decrypt all the files similar to the functionality you would get with git-crypt unlock rather than decrypting individual files.
Additionally using the .sops.yaml config file would be useful: https://github.com/mozilla/sops#210using-sopsyaml-conf-to-select-kmspgp-for-new-files.
One added benefit to using SOPS is it can be an easy replacement for sealed-secrets also when using Fluxv2, although sealed-secrets is more geared to a multi-tenant type environment which is still good practice to use in this demonstration cluster.
The first implementation of SOPS will be running it in parallel with git-crypt. Additional investigation might be required to determine how running audit mode can be leveraged using a PostgreSQL DB potentially hosted in CloudSQL in GCP.
Deciding SOPS will be used in conjunction with git-crypt and will not remove sealed-secrets at this present time.