Skip to content

Mozilla SOPS

I'm currently using Mozilla SOPS 🔑  to manage secrets on my cluster.

🛳  Deployment

I used the Flux Mozilla SOPS Guide to help setup SOPS on my cluster excluding the Configure in-cluster secrets decryption section. The biggest problem I had was understanding the asymmetric encryption mechanism that SOPS uses. I found that the Manage Kubernetes Secrets with Mozilla SOPS & Flux 2 (with Leigh Capili) 🎞  video on YouTube helped understand the concept a lot.

I also didn't spend the time to figure out how to patch the ./flux-system/gotk-sync.yaml with a separate file and so I just ended up editing the file directly.

# ./flux-system/gotk-sync.yaml
    provider: sops
      name: sops-gpg

Make sure that the flux-system Kustomization file updates properly after applying the patch.

kubectl get Kustomization -n flux-system

Make sure that the basic-auth was created successfully.

kubectl describe Kustomization flux-system -n flux-system | grep basic-auth
secret/basic-auth created

💻  Commands

Here are some commands that I found helpful when setting up SOPS.

Encrypt the basic-auth.yaml secret with SOPS using your GPG key:

sops --encrypt --in-place basic-auth.yaml

Output decoded secrets without external tools. Used when testing the basic-auth example.

kubectl get secret my-secret -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}'

🔑  Import the Public GPG Key Using Task

Task may be used to import the public key.

task gpg:import

Check for Unencrypted Secrets Using pre-commit

I use a custom pre-commit hook that runs this script to check that resources of kind secret are encrypted using SOPS.

pre-commit run check-sops-secrets


The scipt does not check if the secret is out of date!