1
0
Fork 0
distrust-stack/docs/managing-secrets-with-sops.md

1.5 KiB

Encrypting

To encrypt a Kubernetes v1/Secret with sops from the command line:

sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml <file>

sops does not recognize - as standard input, so to use standard input on Linux systems you can use /dev/stdin. Input type is set to json assuming the file passed in will be generated by terraform, but if made by hand can be set to yaml or, if using a filepath, omitted entirely.

When a secret is available in Terraform's output, the following pattern can be used to extract the secret from Terraform and encrypt it to a Kubernetes Secret:

sops exec-env secrets/production.env \
  'terraform c-chdir=infra/main output -json' \
  | jq '.database_users.value.keycloak' \
  | sops --encrypt --encrypted-regex '^(data|stringData)' --input-type=json --output-type=yaml /dev/stdin \
  > kustomizations/keycloak/postgres-auth.enc.yaml

Decrypting

To decrypt a Kubernetes v1/Secret encrypted with sops, using ksops:

# secret.enc.yaml
apiVersion: v1
kind: Secret
metadata:
  name: secret-stuff
stringData:
  hello: "ENC[AES256_GCM,data:9m+JbWLI=,tag:KTOvMahnDdOnmAEAqzfaMw==,type:str]"
---
# secret-generator.yaml
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: ksops
files:
- ./secret.enc.yaml
# kustomization.yaml
generators:
- secret-generator.yaml

When running kustomize, be sure to pass the --enable-alpha-plugins flag.

Editing

sops <file>