A plugin for kustomize to generate secrets from sops encrypted files.
The plugin requires python
and PyYAML
library.
bash install.sh
This will copy the plugin to $XDG_CONFIG_HOME directory.
There are three different ways to generate a secret:
- from encrypted dotenv files (
KEY=VALUE
, one per line), - from an encrypted file,
- from literal values inside the kustomization file itself.
Use sops to encrypt some secrets as a dotenv file:
sops foo.env
Use sops to encrypt a text file:
sops secretfile.txt
Make a kustomization resource file referring to the above secrets and also defining some additional key value pairs:
cat << EOF > secret.yml
apiVersion: barlik/v1
kind: SopsSecret
metadata:
name: mysecret
labels:
security: high
annotations:
kustomize.config.k8s.io/needs-hash: "false"
envs:
- foo.env
files:
- secretfile.txt
literals:
- DB_USERNAME=admin
- DB_SERVER=localhost
EOF
Add the secrets generator to the kustomization.yml file:
cat << EOF > kustomization.yml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- secret.yml
EOF
And finally, run kustomize build to generate the secret:
apiVersion: v1 kind: Secret metadata: name: mysecret labels: security: high stringData: DB_USERNAME: admin DB_SERVER: localhost secretfile.txt: <unencrypted contents from secretfile.txt> KEY: VALUE <key value pairs from dotenv file> ...