A while ago I switched all our tooling from helm to kustomize. The why of this I’ll leave for another day, but it involves Tiller and the Security Surprises that Lurk Inside.
All was going well and then all of a sudden the project removed the support for external secrets. The reasons for that are also a story for another day, but it leave me high and dry.
After some discussion, a plan was mooted to make Go plugins available. Nearly all of the feedback was to not do this, but nonetheless that is what happened. So I’m still left high and dry, with a brittle interface in a restrictive language as the only option. Grr.
OK, so, lets move forward. I present to you a Kustomize plugin for sops. This allows me to safely commit my secrets to git, to rotate the keys used to protect that, to do IAM-based access to them, without too much end-user complexity.
Its probably simplest if you read the Github repository. A small ask. If you like this, please star it.
Now, how do you use it? Well, its relatively simple. First, create a secrets.yaml
file. In it you place all your secrets as name: value
pairs. Then, encrypt it. In the README I show how to do this with Google KMS, but you can use any of the methods sops supports (PGP, AWS KMS, etc).
sops --encrypt --gcp-kms projects/.../sops-key secrets.yaml > secrets.enc.yaml
Then, add a secretGenerator
to your Kustomize, referencing this plugin:
secretGenerator:
- name: mysecrets
kvSources:
- name: kustomize-sops
pluginType: go
args:
- CAT
- DOG
OK, now run kustomize
as normal (and try not to grit your teeth at the double misspelling of s/c/k and s/z/s).
I purposely did not compile the plugin for you. Do this:
mkdir -p ~/.config/kustomize/plugins/kvSources
go build -buildmode plugin -o ~/.config/kustomize/plugins/kvSources/kustomize-sops.so kustomize-sops.go
Why did I not build it for you? BECAUSE YOU SHOULD NOT TRUST YOUR SECRETS TO A BINARY PROVIDED BY A RANDOM PERSON ON THE INTERNET.
OK, I really hope you like this. The code is short, It doesn’t support real YAML (e.g. it only supports NAME: VALUE) because of how limiting Go is. It doesn’t support multiple secrets files because the interface that was created doesn’t have config or meta or extensibility.
But, i works. And now you can safely commit your secrets.
I’ll leave i as an exercise to the reader to install sops, configure i so it works well with git for e.g. diff purposes etc. Its well documented on their page.
And if you got here, and you think this useful, a star on the Github would help us out.