Skip to content

Instantly share code, notes, and snippets.

@stefanprodan

stefanprodan/toolkit-sops.md

Last active April 16, 2023 03:39
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save stefanprodan/d8eb2d0332aa2744325c1e2af19cd783 to your computer and use it in GitHub Desktop.
Save stefanprodan/d8eb2d0332aa2744325c1e2af19cd783 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
toolkit-sops.md

SOPS decryption for Kustomizations

Specification:

apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
kind: Kustomization
metadata:
  name: backend
spec:
  interval: 5m
  path: "./overlays/production/"
  prune: true
  sourceRef:
    kind: GitRepository
    name: webapp
  decrypt:
    engine: sops
    serviceAccountName: kms-reader
    secretRef:
      name: pgp-keys

The Kubernetes secrets used in ./overlays/production/ are encrypted with:

sops --encrypt --encrypted-regex '^(data|stringData)$' --in-place my-secret.yaml

Workflow

kustomize-controller

  • create decrypt pod sops-decrypt-<kustomization-name>-<artifact-short-sha>
  • wait for pod to become ready
apiVersion: v1
kind: Service
metadata:
  name: sops-decrypt
spec:
  clusterIP: None
  selector:
    app: sops-decrypt
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 8080 
---
apiVersion: v1
kind: Pod
metadata:
  name: sops-decrypt-backend-363a6a8
  namespace: gitops-system
  labels:
    app: sops-decrypt
  ownerReferences:
  - apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Kustomization
    name: backend
spec:
  serviceAccountName: kms-reader
  restartPolicy: Never
  containers:
  - name: sops-decrypt
    image: docker.io/fluxcd/sops-decrypt:v0.0.1
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 3
      httpGet:
        path: /heathz
        port: http
        scheme: HTTP
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
    ports:
    - containerPort: 8080
      name: http
      protocol: TCP
    resources:
      limits:
        cpu: "1"
        memory: 256Mi
      requests:
        cpu: 100m
        memory: 64Mi
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
    volumeMounts:
    - mountPath: /tmp
      name: temp
    - mountPath: /pgp-keys
      name: pgp-keys
      readOnly: true
  volumes:
  - emptyDir: {}
    name: temp
  - name: pgp-keys
    secret:
      defaultMode: 420
      secretName: pgp-keys
  nodeSelector:
    kubernetes.io/arch: amd64
    kubernetes.io/os: linux

sops-decrypt

  • import pgp keys from /pgp-keys
  • listen for HTTP POST request on port 8080

kustomize-controller

  • run kustomize build
  • extract sops encrypted manifests to a yaml file
  • post the yaml file with the encrypted manifests to the sops-decrypt HTTP endpoint
  • wait for response

sops-decrypt

  • receive the yaml file with the encrypted manifests
  • split the manifests into individual yaml files
  • execute sops decrypt for each file
  • merge the decrypted manifests into a single yaml
  • respond to the kustomize-controller request with the decrypted manifests

kustomize-controller

  • receive the decrypted manifests
  • delete pod
  • replace the encrypted manifests with the decrypted ones in the kustomize build output
  • continue with reconciliation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment