getsops
In Kubernetes, how to create a sops secret from a binary file ?
Hi !
I'm struggling with that one, all my secrets are maintained with SOPS, recently I had to integrate a binary file as a secret but I can't seem to make it work... I can update in place the binary file but I can't integrate it in a template... Anyone has a method to achieve that ?
Thanks !!
You can encrypt any file (it's content) using variable:
secrets.yml (encrypted by SOPS+age)
secretEnvFile:
private.pem: ENC[AES256_GCM,data:jf6g3AW0RPRBuTC+LCTzjVPhzfD+0Mklz+DnCggfgfgf...
values.yml (not encrypted)
volumeMounts:
- name: jwt
mountPath: /app/jwt/
readOnly: true
.....
...
Export this private.pem as file (I also use pluck to get different variables for dev, text etc.
_helpers.tpl
{{- define "GetSecretFiles" -}}
{{- with .Values.secretEnvFile }}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | b64enc }}
{{- end }}{{- end }}
{{- with .Values.secretTiersFile }}
{{- range $k, $v := . }}
{{ $k }}: {{ pluck $.Values.TIER $v | first | default $v._default | b64enc }}
{{- end }}{{- end }}
{{- end }}
secret-jwt.yml
{{- $fullName := include "GetAppFullname" . -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-%s" $fullName "jwt" }}
labels: {{- include "GetLabels" . | nindent 4 }}
type: Opaque
data:
{{- include "GetSecretFiles" . | indent 2 }}
deployment.yml — mount variables from secret-jwt.yml as files in a volume
.....
volumes:
- name: jwt
secret:
secretName: {{ printf "%s-%s" $fullName "jwt" }}
defaultMode: 0444
,,,,,
containers:
- name: {{ $fullName }}
.....
volumeMounts: {{- toYaml .Values.volumeMounts | default "" | nindent 10 }}
So the file is /app/jwt/private.pem
how to make it easier for next time encrypt/decrypt with this line secretEnvFile: private.p12: ENC[AES256_GCM,data:jf6g3AW0RPRBuTC+LCTzjVPhzfD+0Mklz+DnCggfgfgf... and it should be binary file instead of text
