Mozilla SOPS and GitOps Toolkit (Flux CD v2) to decrypt and apply Kubernetes secrets

sudo wget -O /usr/local/bin/sops https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux
sudo chmod 755 /usr/local/bin/sops
$ gcloud auth application-default login
Go to the following link in your browser:

https://accounts.google.com/o/oauth2/auth?code_challenge=xxxxxxx&prompt=select_account&code_challenge_method=S256&access_type=offline&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&client_id=xxxxxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth


Enter verification code: xxxxxxxxxxxxxxx

Credentials saved to file: [/home/ubuntu/.config/gcloud/application_default_credentials.json]

These credentials will be used by any library that requests Application Default Credentials (ADC).
$ gcloud kms keyrings create sops --location global
$ gcloud kms keys create sops-key --location global --keyring sops --purpose encryption
$ gcloud kms keys list --location global --keyring sops
NAME PURPOSE ALGORITHM PROTECTION_LEVEL LABELS PRIMARY_ID PRIMARY_STATE
projects/kubernetes-xxxxxx/locations/global/keyRings/sops/cryptoKeys/sops-key ENCRYPT_DECRYPT GOOGLE_SYMMETRIC_ENCRYPTION SOFTWARE 1 ENABLED
creation_rules:
- path_regex: \.yaml$
gcp_kms: projects/kubernetes-xxxxxx/locations/global/keyRings/sops/cryptoKeys/sops-key
encrypted_regex: ^(data|stringData)$
$ cat secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: default
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
$ sops -e secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: default
type: Opaque
data:
username: ENC[AES256_GCM,data:<-HASH->,type:str]
password: ENC[AES256_GCM,data:<-HASH->,type:str]
sops:
kms: []
gcp_kms:
- resource_id: projects/kubernetes-xxxxxx/locations/global/keyRings/sops/cryptoKeys/sops-key
created_at: '2021-03-01T17:25:29Z'
enc: <-HASH->
azure_kv: []
lastmodified: '2021-03-01T17:25:29Z'
mac: ENC[AES256_GCM,data:<-HASH->,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.5.0
$ sops -i -e secret.yaml
$ sops -d secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: default
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
$ sops secret.yaml 
File has not changed, exiting.
$ kubectl create secret generic gcp-auth -n gotk-system --from-file=./sops-gcp
$ kubectl get secrets -n gotk-system gcp-auth -o yaml
apiVersion: v1
data:
sops-gcp: <-BASE64-ENCODED-GCP-AUTH-JSON->
kind: Secret
metadata:
creationTimestamp: "2021-03-01T17:34:11Z"
name: gcp-auth
namespace: gotk-system
resourceVersion: "1879000"
selfLink: /api/v1/namespaces/gotk-system/secrets/gcp-auth
uid: 10a14c1f-19a6-41a2-8610-694b12efefee
type: Opaque
...
spec:
containers:
...
- env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /tmp/.gcp/credentials/sops-gcp
name: manager
volumeMounts:
- mountPath: /tmp/.gcp/credentials
name: sops-gcp
readOnly: true
volumes:
- name: sops-gcp
secret:
defaultMode: 420
secretName: sops-gcp
...
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
name: cluster
namespace: gotk-system
spec:
decryption:
provider: sops
interval: 5m0s
path: ./clusters/cluster-dev
prune: true
sourceRef:
kind: GitRepository
name: github-source
$ kubectl get secrets mysecret -n default -o yaml
apiVersion: v1
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
kind: Secret
metadata:
name: mysecret
namespace: default
resourceVersion: "3439293"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 4a009675-3c89-448b-bb86-6211cec3d4ea
type: Opaque

--

--

Highly versatile Senior technical Lead Engineer, I am a consummate and competent qualified IT Professional specialising in distributed systems

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store