search

mumoshu / sopsed

Spawning and storage of secure environments powered by sops, inspired from vaulted. Out-of-box support for kubectl, kube-aws, helm, helmfile
9 stars 2 forks source link

readme

sopsed

A convenient wrapper command for automatically encrypting/decrypting files with sops.

Out-of-box supports for kube-aws, helm, helmfile and kubectl.

Use this as a golang library to easily add supports for the commands of your choice.

Install

Grab the latest binary from the GitHub releases page.

Pre-requisite

Create a .sops.yaml to tell sops which key to be used for (re)encrypting files:

For AWS KMS:

creation_rules:
    - kms: "arn:aws:kms:<aws region>:<aws account id>:key/<key id>

To separate keys for different environments:

creation_rules:
    - filename_regex: environments/test/.*
      kms: "arn:aws:kms:<aws region>:<aws account id>:key/<key #1 id>
    - filename_regex: environments/prod/.*
      kms: "arn:aws:kms:<aws region>:<aws account id>:key/<key #2 id>

Usage

# Automatically encrypts/decrypts `credentials/*-key.pem` before/after running `kube-aws` a sub-command
sopsed run kube-aws update ...

# Do the same for `./kubeconfig` before/after running `kubectl` and `helm` sub-commands
sopsed run helm ...
sopsed run kubectl ...

See the documentation resides in this repository for more detailed usage of each command.

Inspirations