docs: add guide for using sops

This commit is contained in:
ryan-distrust.co 2023-05-15 21:51:31 -04:00
parent c3bc04a6ee
commit 2e5a3e0802
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
1 changed files with 55 additions and 0 deletions

View File

@ -0,0 +1,55 @@
# Encrypting
To encrypt a Kubernetes `v1/Secret` with sops from the command line:
```sh
sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml <file>
```
`sops` does not recognize `-` as standard input, so to use standard input on
Linux systems you can use `/dev/stdin`. Input type is set to `json` assuming
the file passed in will be generated by `terraform`, but if made by hand can
be set to `yaml` or, if using a filepath, omitted entirely.
When a secret is available in Terraform's output, the following pattern can be
used to extract the secret from Terraform and encrypt it to a Kubernetes
Secret:
```sh
sops exec-env secrets/production.env \
'terraform c-chdir=infra/main output -json' \
| jq '.database_users.value.keycloak' \
| sops --encrypt --encrypted-regex '^(data|stringData)' --input-type=json --output-type=yaml /dev/stdin \
> kustomizations/keycloak/postgres-auth.enc.yaml
```
# Decrypting
To decrypt a Kubernetes `v1/Secret` encrypted with sops, using `ksops`:
```yaml
# secret.enc.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-stuff
stringData:
hello: "ENC[AES256_GCM,data:9m+JbWLI=,tag:KTOvMahnDdOnmAEAqzfaMw==,type:str]"
---
# secret-generator.yaml
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: ksops
files:
- ./secret.enc.yaml
# kustomization.yaml
generators:
- secret-generator.yaml
```
When running `kustomize`, be sure to pass the `--enable-alpha-plugins` flag.
# Editing
`sops <file>`