PoC k8s secrets management with SOPS
PoC using SOPS to manage secrets for k8s with age encryption.
- Install SOPS
brew install sops
- Install age
brew install age
Note: SOPS handles AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. We will use age
along this document.
- Optionally, install miniKube to run the PoC locally:
brew install minikube
Note: we use brew, but you can install the tools on Linux.
- First example: generate age key, encrypt with SOPS, decrypt with SOPS, use
.sops.yaml
config file. - Multi-users: handle multiple users with SOPS and age, remove a user.
- Multi-environments: handle multiple environments with SOPS and age.
- Kubernetes: use SOPS and age to manage secrets for k8s.
We create a file example.yaml
with the following content:
user: admin
password: mySuperSecretPassword
We want to encrypt this file with SOPS and age. First, we need to create a key pair with age:
# create directory to store the keys
mkdir -p secrets/keys
# generate a key pair
age-keygen -o secrets/keys/age.txt
Download the SOPS extension for VScode.
Add in .vscode/settings.json
:
{
"sops.defaults.ageKeyFile": "./secrets/keys/age.txt"
}
It will automatically encrypt/decrypt the file when you save it.
The extension is not perfect, but it works. Double check that it does what you want!
You can use the same .vscode/settings.json
across your different project and follow always the same structure for your secrets and put it in secrets/keys/
and add this directory to your .gitignore
.