Skip to content

Kustomize generator plugin that generates Secrets from sops-encrypted files

License

Notifications You must be signed in to change notification settings

mabushey/kustomize-sopssecretgenerator

 
 

Repository files navigation

kustomize-sopssecretgenerator

Build Status Go Report Card Codecov Latest Release License

SecretGenerator ❤ sops

Why use this?

Kustomize is a great tool for implementing a GitOps workflow. When a repository describes the entire system state, it often contains secrets that need to be encrypted at rest. Mozilla's sops is a simple and flexible tool that is very suitable for that task.

This Kustomize plugin allows you to create Secrets transparently from sops-encrypted files during resource generation. It is explicitly modeled after the builtin SecretGenerator plugin. Because it is an exec plugin, it is not tied to the specific compilation of Kustomize, like Go plugins are.

Alternatives

There are a number of other plugins that can serve the same function:

Additionally, there are other ways to use sops-encrypted secrets in Kubernetes:

Most of these projects are in constant development. I invite you to check them out and pick the project that best fits your goals.

Credit goes to Seth Pollack for the Kustomize Secret Generator Plugins KEP and subsequent implementation that made this possible.

Installation

Note: Exec plugins do not seem to work on Windows at the moment. See issues goabout/kustomize-sopssecretgenerator#14 and kubernetes-sigs/kustomize#2924.

Download the SopsSecretGenerator binary for your platform from the GitHub releases page and move it to $XDG_CONFIG_HOME/kustomize/plugin/goabout.com/v1beta1/sopssecretgenerator. (By default, $XDG_CONFIG_HOME points to $HOME/.config on Linux and OS X, and %LOCALAPPDATA% on Windows.)

For example, to install version 1.3.2 on Linux:

VERSION=1.3.2 PLATFORM=linux ARCH=amd64
curl -Lo SopsSecretGenerator https://github.com/goabout/kustomize-sopssecretgenerator/releases/download/v${VERSION}/SopsSecretGenerator_${VERSION}_${PLATFORM}_${ARCH}
chmod +x SopsSecretGenerator
mkdir -p "${XDG_CONFIG_HOME:-$HOME/.config}/kustomize/plugin/goabout.com/v1beta1/sopssecretgenerator"
mv SopsSecretGenerator "${XDG_CONFIG_HOME:-$HOME/.config}/kustomize/plugin/goabout.com/v1beta1/sopssecretgenerator"

You do not need to install the sops binary for the plugin to work. The plugin includes and calls sops internally.

Usage

Create some encrypted values using sops:

echo FOO=secret >secret-vars.env
sops -e -i secret-vars.env

echo secret >secret-file.txt
sops -e -i secret-file.txt

Add a generator to your kustomization:

cat <<. >kustomization.yaml
generators:
  - generator.yaml
.

cat <<. >generator.yaml
apiVersion: goabout.com/v1beta1
kind: SopsSecretGenerator
metadata:
  name: my-secret
envs:
  - secret-vars.env
files:
  - secret-file.txt
.

Run kustomize build with the --enable_alpha_plugins flag:

kustomize build --enable_alpha_plugins

The output is a Kubernetes secret containing the decrypted data:

apiVersion: v1
data:
  FOO: J3NlY3JldCc=
  secret-file.txt: c2VjcmV0Cg==
kind: Secret
metadata:
  name: my-secret-6d2fchb89d

Like SecretGenerator, SopsSecretGenerator supports the generatorOptions fields. Data key-values ("envs") can be read from dotenv, YAML and JSON files. If the data is a file and the Secret data key needs to be different from the filename, you can use key=file.

An example showing all options:

apiVersion: goabout.com/v1beta1
kind: SopsSecretGenerator
metadata:
  name: my-secret
  labels:
    app: my-app
  annotations:
    create-by: me
behavior: create
disableNameSuffixHash: true
envs:
  - secret-vars.env
  - secret-vars.yaml
  - secret-vars.json
files:
  - secret-file1.txt
  - secret-file2.txt=secret-file2.sops.txt
type: Oblique

Using SopsSecretsGenerator with ArgoCD

SopsSecretGenerator can be added to ArgoCD by patching an initContainer into the ArgoCD provided install.yaml.

Development

You will need Go 1.13 or higher to develop and build the plugin.

Test

Run all tests:

make test

In order to create encrypted test data, you need to import the secret key from testdata/keyring.gpg into your GPG keyring once:

cd testdata
gpg --import keyring.gpg

You can then use sops to create encrypted files:

sops -e -i newfile.txt

Build

Create a binary for your system:

make

The resulting executable will be named SopsSecretGenerator.

Release

This project uses goreleaser to publish releases on GitHub.

First create a Git tag for the release:

git tag -a v$VERSION

Then make releases for all supported platforms:

make release

Binaries can be found in dist.

If everything looks good, set a GitHub personal token in the GITHUB_TOKEN environment variable (or a file named .github_token) and publish the release to GitHub:

export GITHUB_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
make publish-release

About

Kustomize generator plugin that generates Secrets from sops-encrypted files

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 98.3%
  • Makefile 1.7%