KSOPS

KSOPS is a flexible Kustomize KRM-based plugin for SOPS encrypted resources. This repository provides a completely new KRM-based plugin with no affiliation with the existing Go-based ksops plugin.

Features

• A flexible Kustomize KRM-based plugin for SOPS encrypted resources.
• Provides the ability to fail silently if the generator fails to decrypt files.
• Generates dummy secrets with the KSOPS_GENERATE_DUMMY_SECRETS environment variable.
• Example files and PGP key are provided with the repository to test KSOPS.

Installation

To install KSOPS, download the binary and add it to your path.

TL;DR

For MacOS Arm64:

export BINARY_PATH=~/go/bin/

gh release download --clobber -R argyle-engineering/ksops --pattern ksops_Darwin_arm64.tar.gz && mkdir ksops && tar -xzvf ksops_Darwin_arm64.tar.gz -C ksops && chmod +x ksops/ksops && mv ksops/ksops $BINARY_PATH && rm -r ksops/ ksops_Darwin_arm64.tar.gz

Usage

To use KSOPS example, follow these steps:

1. Import the GPG key: gpg --import example/sops_functional_tests_key.asc.
2. Build and decrypt the example files: kustomize build --enable-alpha-plugins --enable-exec example/.

To generate dummy secrets, set the KSOPS_GENERATE_DUMMY_SECRETS environment variable to true. For example: KSOPS_GENERATE_DUMMY_SECRETS=TRUE kustomize build --enable-alpha-plugins <dir>.

To allow KSOPS to fail silently, add the following to the generator:

apiVersion: argyle.com/v1
kind: ksops
metadata:
  name: secret-generator
  annotations:
    config.kubernetes.io/function: |2-
      exec:
        path: ksops  
fail-silently: true
files:
- ./secret.enc.yaml

Release Process

To release a new version, install goreleaser and set your GitHub token:

brew install goreleaser syft 
export GITHUB_TOKEN="YOUR_GH_TOKEN"

Then, create a tag and push it to GitHub:

git tag -a v0.1.0
git push origin v0.1.0

Finally, run the following command:

goreleaser release

or use docker

docker buildx build --platform linux/arm64,linux/amd64 -t ksops:v1.0.3 --push .