agilicus / kustomize-sops Goto Github PK

This is a *very* simple wrapper to allow use of [sops](https://github.com/mozilla/sops) encoded secrets within [kustomize](https://github.com/kubernetes-sigs/kustomize).

License: Apache License 2.0

Go 82.21% Makefile 17.79%

kustomize-sops's Introduction

kustomize-sops

This is a very simple wrapper to allow use of sops encoded secrets within kustomize.

It assumes that there exists a single secrets.enc.yaml file, and in it there is a 1-deep YAML representation of SECRET: VALUE.

Assume you had a raw secrets as secrets.yaml:

CAT: ferocious
DOG: tame

You would then encrypt it something like:

sops --encrypt --gcp-kms projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key secrets.yaml > secrets.enc.yaml

You would use a kustomization.yaml file as:

---
apiVersion: kustomize-sops/v1
kind: SopsSecret
name: my-secret
namespace: bar
source: secrets.enc.yaml
metadata:
  name: not-used
keys:
  - CAT

If keys is empty (e.g. keys: []), then all keys are imported.

And then running kustomize build --enable_alpha_plugins . would yield:

apiVersion: v1
data:
  CAT: ZmVyb2Npb3Vz
kind: Secret
metadata:
  name: my-secret-hkbkhc8h2b
  namespace: bar
type: Opaque

You may wish to try: type: kubernetes.io/dockerconfigjson if using a docker config.

Install Pre-requisites

Build & Install plugin

This is a bit complex since Go plugins are unbelievably brittle, all packages in both sides must be identical. Effectively they must be built in the same tree at the same time.

To build, run make. Note: the result is both kustomize and the plugin, you must use the kustomize that this builds.

It will output two files:

~/bin/kustomize
~/.config/kustomize/plugin/kustomize-sops/v1/sopssecret/SopsSecret.so

If you have ~/bin on your path, it should work from here.

I have build this with

$ go version
go version go1.13.7 linux/amd64

I am not sure how sensitive it is to changes.

Test/Run

kustomize build --enable_alpha_plugins .

Setup encrypted secrets

gcloud auth application-default login
gcloud kms keyrings create sops --location global
gcloud kms keys create sops-key --location global --keyring sops --purpose encryption
gcloud kms keys list --location global --keyring sops
# NAME                                                                      PURPOSE          LABELS  PRIMARY_ID  PRIMARY_STATE
# projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key  ENCRYPT_DECRYPT          1           ENABLED

sops --encrypt --gcp-kms projects/MYPROJECT/locations/global/keyRings/sops/cryptoKeys/sops-key secrets.yaml > secrets.enc.yaml

Notes

The interface in kustomize for plugins is extremely brittle. They effectively don't work unless compiled at the same time as kustomize.

See kustomize-plugins for exec-based plugins that achieve the same purpose as above, but are not as brittle.

The patch... see kubernetes-sigs/kustomize#1075 (comment)

kustomize-sops's People

Contributors

Stargazers

Watchers

Forkers

tokyowizard niallmccullagh so-jelly joaalteos rosscdh jerryhu1234 bromanko star0x4b mpichette jiachu elimaneg rchennup

kustomize-sops's Issues

Add support for ConfigMap

Currently kustomize sops plugins only supports Secret resources.

Some applications require that the configuration is provided as ConfigMap.

Therefore it would be nice to have support for ConfigMap .

Ignores secrets

This required upgrading to golang 1.13.4. After running make I ran sudo cp /home/ubuntu/bin/kustomize /usr/local/bin to make it accessible to the system.

✗  kustomize version
Version: {KustomizeVersion:unknown GitCommit:$Format:%H$ BuildDate:1970-01-01T00:00:00Z GoOs:linux GoArch:amd64}

Nice build date...

I use sops to encrypt the sample secrets.enc.yaml with CAT and DOG. I'm able to decrypt it fine with sops --decrypt secrets.enc.yaml > secrets.yaml. I add this the to kustomization.yaml:

---
apiVersion: kustomize-sops/v1
kind: SopsSecret
name: my-secret
namespace: bar
source: secrets.enc.yaml
metadata:
  name: not-used
keys:
  - CAT

Then I run kustomize build --enable_alpha_plugins . > test.yaml but there are no secrets in the test.yaml file. No errors, it just ignores the secret.

protobuff dependency

Hey there, firstly awesome plugin thank you for your efforts.

As you noted about brittle dependencies in go am currently investigating a

Error: loading generator plugins: plugin /root/.config/kustomize/plugin/kustomize-sops/v1/sopssecret/SopsSecret fails to load: plugin.Open("/root/.config/kustomize/plugin/kustomize-sops/v1/sopssecret/SopsSecret"): plugin was built with a different version of package github.com/golang/protobuf/proto
make: *** [generate] Error 1

error in the latest version of kustomize i suspect, but may affect this implementation

compilation error

I am kinda stuck with this one and can't figure it out.

2usmhalliday2:kustomize-sops halliday$ go build -buildmode plugin -o $OUTDIR/kustomize-sops.so kustomize-sops.go 2usmhalliday2:kustomize-sops halliday$ kustomize build --enable_alpha_goplugins_accept_panic_risk Error: generating legacy configMaps and secrets: secretgenerator: [{{ mysecrets {[] [] } [{go kustomize-sops [CAT DOG]}]} }]: NewResMapFromSecretArgs: plugins: : plugin.Open("/Users/halliday/.config/kustomize/plugin/kvSources/kustomize-sops"): plugin was built with a different version of package gopkg.in/yaml.v2

Unable to disable name suffix hash

kustomize-sops plugin always appends the name suffix hash even when it's disabled by global generator options:

kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ingress.yaml

generatorOptions:
  disableNameSuffixHash: true

generators:
- kustomization-secrets.yaml

All references of the Secret are named without the hash suffix and they don't get updated.

So therefore it would be nice to have the ability to disable name suffix hash.