The use-case here is that you have a repository with a kubernetes secret file, and you want to encrypt it with SOPS.
We assume you will execute the commands in this document in the kubernetes
directory.
cd kubernetes
We'll suppose that you have already installed SOPS, age and minikube (if you don't have a kubernetes instance).
First, we create a kubernetes secret file secrets.yaml
:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
stringData:
username: admin
password: mySuperSecretPassword
We want to encrypt this file with SOPS and age. First, we need to create a key pair with age:
# create directory to store the keys
mkdir -p secrets/keys
# generate a key pair
age-keygen -o secrets/keys/age.txt
We create a SOPS config file .sops.yaml
:
creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(data|stringData)$
encryption_method: age
age: "age1j0e4xycce25j08xcswuzh60qculvk70s8av9vd4q05wxvt9app0q96jlc2"
sops:
encryption_method: age
Note that we encrypt fields data
and stringData
of the kubernetes secret file.
sops -e secrets.yaml > secrets.enc.yaml
kubectl create -f secrets.enc.yaml
Launch minikube:
minikube start
Deploy secrets:
export SOPS_AGE_KEY_FILE="secrets/keys/age.txt"
sops --decrypt secret.encrypted.yml | kubectl apply -f -