Associated Thunder episode: Managing Secrets in Configuration Files with SOPS
- How to store sensitive data?
- Declarative infrastructure becoming a thing
- Problems sharing and storing config files containing secrets
- Enterprise-grade solutions can be high effort and overkill
Helm plugin for SOPS to put encrypted secrets into Helm charts
SOPS is a tool that encrypts and decrypts files. It is a binary that you consume using the CLI.
Kustomize Generator called KSOPS to integrate SOPS — ex: encrypt K8s secret and store it in Git and use with GitOps.
What data do I want to share in a text file?
- Store a SSH key
- Checking sensitive data into Git — encrypt/decrypt at runtime
- Storing and distributing passwords
- Use SOPS as one interface for many key manager tools
- Integrate DB passwords
- Integrate secrets into CI/CD pipeline or GitOps
- GPG Key (GNU Privacy Guard)
- AGE file encryption — "Actually Good Encryption"
- AWS KMS (Key Management Service)
- GCP KMS
- Azure Key Vault
- HashiCorp Vault
- ...and more!!!
SOPS can be used in almost ALL environments — cloud, on-prem, Kubernetes, anywhere!
SOPS is like GLUE to integrate tools and workflows.
- You can do everything within the SOPS CLI
- CLI flags allow you to specify what backend to encrypt
- Can go deeper and make a .sops.yaml file to configure SOPS without flags — this makes SOPS config shareable and reusable
- Backend integrations — which key(s) to encrypt
- Where to put encrypted/decrypted information — specifying values vs. encrypting everything
- "I want to reencrypt this data"
- Argo needs a config management plugin and then can use KSOPS, among other things
- SOPS is natively built into Flux