PoC using SOPS to manage secrets for k8s with age encryption.

• PoC k8s secrets management with SOPS
  • Introduction
  • Prerequisites
  • Examples
  • VScode extension
    • Example file
    • Generate age key
    • Configure

• Install SOPS

brew install sops

• Install age

brew install age

Note: SOPS handles AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. We will use age along this document.

• Optionally, install miniKube to run the PoC locally:

brew install minikube

Note: we use brew, but you can install the tools on Linux.

• First example: generate age key, encrypt with SOPS, decrypt with SOPS, use .sops.yaml config file.
• Multi-users: handle multiple users with SOPS and age, remove a user.
• Multi-environments: handle multiple environments with SOPS and age.
• Kubernetes: use SOPS and age to manage secrets for k8s.

We create a file example.yaml with the following content:

user: admin
password: mySuperSecretPassword

We want to encrypt this file with SOPS and age. First, we need to create a key pair with age:

# create directory to store the keys
mkdir -p secrets/keys
# generate a key pair
age-keygen -o secrets/keys/age.txt

Download the SOPS extension for VScode.

Add in .vscode/settings.json:

{
    "sops.defaults.ageKeyFile": "./secrets/keys/age.txt"
}

It will automatically encrypt/decrypt the file when you save it.

The extension is not perfect, but it works. Double check that it does what you want!

You can use the same .vscode/settings.json across your different project and follow always the same structure for your secrets and put it in secrets/keys/ and add this directory to your .gitignore.