Mozilla SOPS¶

I'm currently using Mozilla SOPS   to manage secrets on my cluster.

  Deployment¶

I used the Flux Mozilla SOPS Guide to help setup SOPS on my cluster excluding the Configure in-cluster secrets decryption section. The biggest problem I had was understanding the asymmetric encryption mechanism that SOPS uses. I found that the Manage Kubernetes Secrets with Mozilla SOPS & Flux 2 (with Leigh Capili)   video on YouTube helped understand the concept a lot.

I also didn't spend the time to figure out how to patch the ./flux-system/gotk-sync.yaml with a separate file and so I just ended up editing the file directly.

# ./flux-system/gotk-sync.yaml
...
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
...

Make sure that the flux-system Kustomization file updates properly after applying the patch.

kubectl get Kustomization -n flux-system

Make sure that the basic-auth was created successfully.

kubectl describe Kustomization flux-system -n flux-system | grep basic-auth
secret/basic-auth created

  Commands¶

Here are some commands that I found helpful when setting up SOPS.

Encrypt the basic-auth.yaml secret with SOPS using your GPG key:

sops --encrypt --in-place basic-auth.yaml

Output decoded secrets without external tools. Used when testing the basic-auth example.

kubectl get secret my-secret -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}'

  Import the Public GPG Key Using Task¶

Task may be used to import the public key.

task gpg:import

Check for Unencrypted Secrets Using pre-commit¶

I use a custom pre-commit hook that runs this script to check that resources of kind secret are encrypted using SOPS.

pre-commit run check-sops-secrets