A Kustomize generator plugin that reads SOPS encoded files and converts them to Kubernetes Secrets
- Go 1.16 (needs cgo support, so follow the official installation instructions)
kustomize
(go get sigs.k8s.io/kustomize/kustomize/[email protected]
)- Make
- Mozilla's SOPS
Building is straightforward, just run make build
It will install it into the first directory that it finds and that exists, in this order:
$KUSTOMIZE_PLUGIN_HOME
, if you have it set$XDG_CONFIG_HOME/kustomize/plugin
, ifXDG_CONFIG_HOME
is set,$HOME/.config/kustomize/plugin
$HOME/kustomize/plugin
For development, $HOME/kustomize/plugin
is usually good enough, unless you explicitly want to use $KUSTOMIZE_PLUGIN_HOME
To simplify testing, there's an ASCII armored PGP key pair provided in __test__/pgp.asc
; import it into your PGP ring.
You need to know which PGP executable you're using, since some of them aren't compatible/aware of eachother. Assuming you are on
a relatively up-to-date system, you'll be using gpg
by default, so this will suffice gpg --import __test__/pgp.asc
. If you're
using gpg2
, then use that, but remember which PGP executable you're using.
It should be as simple as running make test
.
If you're using a different PGP executable, then you will need to tell SOPS about it,
you can do this by setting the SOPS_GPG_EXEC
env variable either inline, or before running the tests:
export SOPS_GPG_EXEC=gpg2
make test
or
make SOPS_GPG_EXEC=gpg2 test
Provided you followed the previous steps, you can add more fixtures to __test__/plain
and run make fixture
(same caveat about custom PGP executable applies).
Currently, non-builtin plugins require you to use kustomize
executable, and to have it built from source. Installing Go is very easy, as is compiling
and installing Kustomize (you need to run the go get
command below in this repo).
go get sigs.k8s.io/kustomize/kustomize/[email protected]
That's it.
The reason for this is explained in more depth in A little about Go Kustomize plugins.
The docker image bundles kustomize and this plugin inside an Alpine Linux image. The purpose of this is to allow/simplify kustomize with the plugin inside our GitLab-CI pipeline.
An example of how this might be used:
job:
image: registry.gitlab.com/mollybet/kustomize-sopsgenerator/kustomizer
script:
- kustomize build --enable_alpha_plugins path/to/kustomization -o output/dir
The API is similar to that of the builtin SecretGenerator
, the only thing that's not supported are literals
, but that's on purpose, because then we'd have
to encode SOPS data with those, and we'd be deviating from the standard (as far as I know), which I wanted to avoid.
envs
-[]string
: List of env files to expand as top-level entries in the secret. Env entries here take precedence over filename entriesfiles
-[]string
: List of files to be included as secrets. The secret entry name will be the filename, and the value will be the contents. It's possible to rename the entry by doingname=someFile.txt
. All files that are supported by SOPS natively are also supported here. In the "worst case" SOPS decays the type to "binary" so some niceties like unencrypted key-names are lost.
What's missing are literals
, but there is no plan to support those for now, since they can easily be emulated using .env
files or .ini
files.
SecretGenerator
also supports "name-only" entries in .env
files like SOME_VARIABLE
, which is different from SOME_VARIABLE=
.
The former signals SecretGenerator
to read the value from the currently executing environment, and the latter means an empty value.
SOPS doesn't support this out of the box. We could add it via our own syntax, but I'd rather avoid deviating from the standard before the need for it arises.
See the examples folder for a more concrete example. The examples assume you imported the testing PGP key.
To get more useful logging information, you can add the omninonsense.github.io/sopsgenerator.logLevel
annotation, it accepts one of the following
values (both sops and this plugin use logrus
):
panic
fatal
error
- (default)
warn
, orwarning
info
debug
trace
SOPS logs some failures as... Info. So, when in doubt, set log level to debug
, it will at least point you in the right direction.
- More tests
- Don't use kustomize's internal testing framework, since it wants things inside
~/
- Consider switching to an executor plugin? Go's compilation skew might become an annoying problem in the future