Skip to content

inloco/sops-kustomize-generator-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
.github
.github
 
 
hack
hack
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

SOPS Kustomize Generator Plugin

It is a plugin for Kustomize that allows you to use Kubernetes Secrets encrypted with SOPS as a generator.

Getting Started

Install

To install this plugin on Kustomize, download the binary to Kustomize Plugin folder with apiVersion: inloco.com.br/v1 and kind: SOPS. Then make it executable.

Linux 64-bits and/or macOS 64-bits

VERSION="$(wget -qO- 'https://api.github.com/repos/inloco/sops-kustomize-generator-plugin/releases/latest' | jq -r '.tag_name')"

wget -qO- "https://github.com/inloco/sops-kustomize-generator-plugin/releases/download/${VERSION}/install.sh" | sh

Manual Build and Install for Other Systems and/or Architectures

git clone 'https://github.com/inloco/sops-kustomize-generator-plugin'

cd sops-kustomize-generator-plugin

go get -d -v ./...

go build -a -installsuffix cgo -ldflags '-extldflags "-static" -s -w' -tags netgo -v ./...

PLACEMENT="${XDG_CONFIG_HOME:-${HOME}/.config}/kustomize/plugin/inloco.com.br/v1/sops"

mkdir -p "${PLACEMENT}"

mv ./sops-kustomize-generator-plugin "${PLACEMENT}/SOPS"

cd ..

rm -fR sops-kustomize-generator-plugin

Using

We can start with a regular Kubernetes Secret in its YAML format.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

To convert it to a file that will be processed by the plugin, we replace apiVersion: v1 with apiVersion: inloco.com.br/v1 and kind: Secret with kind: SOPS.

apiVersion: inloco.com.br/v1
kind: SOPS
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

Finally we encrypt it using SOPS with the following command:

sops --encrypt --encrypted-regex '^(data|stringData)$' --in-place ./secret.yaml

Now we can specify ./secret.yaml as a generator on kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
  - ./secret.yaml

Notes

  • Remember to use --enable-alpha-plugins flag when running kustomize build.
  • You may need to use environment variables, such as AWS_PROFILE, to configure SOPS decryption when running Kustomize.
  • Integrity checks are disabled on SOPS decryption, this is done to prevent integrity failures due to Kustomize sorting the keys of original YAML file.
  • This documentation assumes that you are familiar with Kustomize and SOPS, read their documentation if necessary.
  • To make the generator behave like a patch, you might want to set kustomize.config.k8s.io/behavior annotation to "merge". The other internal annotations described on Kustomize Plugins Guide are also supported.

About

SOPS Kustomize Generator Plugin

Topics

kubernetes hacktoberfest sops kustomize

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

7 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases 11

v1.1.5 Latest
May 5, 2025
+ 10 releases

Packages

No packages published

Contributors 7

Languages