Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
SOPS Kustomize Generator Plugin
It is a plugin for Kustomize that allows you to use Kubernetes Secrets encrypted with SOPS as a generator.
Getting Started
Install
To install this plugin on Kustomize, download the binary to Kustomize Plugin folder with apiVersion: inloco.com.br/v1 and kind: SOPS. Then make it executable.
Linux 64-bits
PLACEMENT=${XDG_CONFIG_HOME:-$HOME/.config}/kustomize/plugin/inloco.com.br/v1/sops
mkdir -p $PLACEMENT
PLUGIN=$PLACEMENT/SOPS
wget -O $PLUGIN https://github.com/inloco/sops-kustomize-generator-plugin/releases/download/v1.1.1/plugin-linux-amd64
chmod +x $PLUGINmacOS 64-bits
PLACEMENT=${XDG_CONFIG_HOME:-$HOME/.config}/kustomize/plugin/inloco.com.br/v1/sops
mkdir -p $PLACEMENT
PLUGIN=$PLACEMENT/SOPS
wget -O $PLUGIN https://github.com/inloco/sops-kustomize-generator-plugin/releases/download/v1.1.1/plugin-darwin-amd64
chmod +x $PLUGINManual Build and Install for Other Systems and/or Architectures
git clone https://github.com/inloco/sops-kustomize-generator-plugin
cd sops-kustomize-generator-plugin
go get -d -v ./...
go build -a -installsuffix cgo -ldflags '-extldflags "-static" -s -w' -tags netgo -v ./...
PLACEMENT=${XDG_CONFIG_HOME:-$HOME/.config}/kustomize/plugin/inloco.com.br/v1/sops
mkdir -p $PLACEMENT
mv ./sops-kustomize-generator-plugin $PLACEMENT/SOPS
cd ..
rm -fR sops-kustomize-generator-pluginUsing
We can start with a regular Kubernetes Secret in its YAML format.
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2RmTo convert it to a file that will be processed by the plugin, we replace apiVersion: v1 with apiVersion: inloco.com.br/v1 and kind: Secret with kind: SOPS.
apiVersion: inloco.com.br/v1
kind: SOPS
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2RmFinally we encrypt it using SOPS with the following command:
sops --encrypt --encrypted-regex '^(data|stringData)$' --in-place ./secret.yamlNow we can specify ./secret.yaml as a generator on kustomization.yaml:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- ./secret.yamlNotes
- Remember to use
--enable_alpha_pluginsflag when runningkustomize build. - You may need to use environment variables, such as
AWS_PROFILE, to configure SOPS decryption when running Kustomize. - Integrity checks are disabled on SOPS decryption, this is done to prevent integrity failures due to Kustomize sortting the keys of original YAML file.
- This documentation assumes that you are familiar with Kustomize and SOPS, read their documentation if necessary.
- To make the generator behave like a patch, you might want to set
kustomize.config.k8s.io/behaviorannotation to"merge". The other internal annotations described on Kustomize Plugins Guide are also supported.