Project:Secrets-K8s

From MaRDI portal

SOPS (Secrets OPerationS) Documentation

What is SOPS?

SOPS (Secrets OPerationS) is a tool developed by Mozilla that encrypts files containing sensitive data like passwords, API keys, and certificates. It's designed to work seamlessly with version control systems by encrypting only the values in structured data files (YAML, JSON, etc.) while leaving the keys in plaintext. This allows us to safely store encrypted secrets in our Git repository alongside our Kubernetes manifests.

Why We Use SOPS

In our FluxCD-synchronized Kubernetes setup, SOPS enables us to:

  • Store encrypted secrets directly in the repository
  • Maintain GitOps workflows without exposing sensitive data
  • Allow team members to decrypt secrets only when they have the proper keys
  • Track changes to secrets through normal Git workflows

Installation

Installing SOPS

# Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.10.2/sops-v3.10.2.linux.amd64

# Move the binary into your PATH
mv sops-v3.10.2.linux.amd64 /usr/local/bin/sops

# Make the binary executable
chmod +x /usr/local/bin/sops

Setting Up Project Keys

Before you can encrypt secrets, you need to import the project's public key from our k8s repository: 

gpg --import .sops.pub.asc

This public key allows you to encrypt secrets that can be decrypted by anyone with access to the corresponding private key.

Working with Secrets

Encrypting Secrets

To encrypt a secret file in-place: 

# Encrypt an existing plaintext file
sops --encrypt --in-place secret.yaml

or 

sops -e -i secret.yaml

Decrypting Secrets

To decrypt secrets: 

# Decrypt file in-place (back to plaintext)
sops --decrypt --in-place secret.yaml

# View decrypted content without modifying the file
sops -d secret.yaml

Editing encrypted secrets

# Edit encrypted file directly
sops secret.yaml

Workflow

  1. Create your secret file with plaintext values under a secrets: block.
  2. Encrypt it in-place with sops -e -i secret.yaml
  3. Commit the encrypted file to Git
  4. To make changes, either:
    • Edit directly with sops secret.yaml
    • Or decrypt in-place, edit, then encrypt in-place again

Important Security Notes

  • Never commit plaintext secrets to the repository
  • Always encrypt files before pushing to Git
  • Only team members with the private key can decrypt secrets
  • If you don't have decryption access, you can still work with the encrypted files (FluxCD will handle decryption in the cluster)

Troubleshooting

If you encounter issues:

  1. Verify SOPS is installed correctly: sops --version
  2. Check that the public key is imported: gpg --list-keys
  3. Ensure you're in the correct directory with the .sops.yaml configuration file

For additional help, refer to the SOPS documentation or contact a team member with administrative access to the encryption keys.

Retrieved from "https://portal.mardi4nfdi.de/w/index.php?title=Project:Secrets-K8s&oldid=42828885"
Powered by MediaWiki