Sign in Subscribe
2 min read

Secure Your Secrets: Encrypting with ksops and ArgoCD

Secure Your Secrets: Encrypting with ksops and ArgoCD

In the DevOps landscape, safeguarding sensitive information is critical, and storing plain text passwords in GitHub poses significant risks. Enter ksops—a powerful tool that allows you to encrypt secrets locally, keeping them secure even when stored in GitHub. When it's time to deploy, ArgoCD takes over, decrypting these secrets within your Kubernetes cluster, ensuring a smooth and secure deployment process without compromising safety.

Getting Started with ksops

Install the necessary tools on your local machine:

brew install age
brew install ksops
brew install sops

Create and store your encryption key locally and in your cluster:

age-keygen -o age-key.txt
mv age-key.txt ~/.config/sops/age/keys.txt
export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt

Add your key to the cluster as a secret:

kubectl create secret generic sops-age-key --from-file=age.agekey=age-key.txt -n argocd

Configure ArgoCD to decrypt secrets using ksops by adding the ksops plugin with an init container:

In your values.yaml:

configs:
  cm:
    kustomize.buildOptions: "--enable-alpha-plugins --enable-exec"

repoServer:
  # Use init containers to configure custom tooling
  # https://argoproj.github.io/argo-cd/operator-manual/custom_tools/
  env:
    # Environment variables for ksops and SOPS
    - name: XDG_CONFIG_HOME
      value: /.config
    - name: SOPS_AGE_KEY_FILE
      value: /.config/sops/age/age.agekey
  volumes:
    - name: custom-tools
      emptyDir: {}
    - name: sops-age
      secret:
        secretName: sops-age-key

  initContainers:
    - name: install-ksops
      image: viaductoss/ksops:v4.3.2
      command: ["/bin/sh", "-c"]
      args:
        - echo "Installing KSOPS...";
          mv ksops /custom-tools/;
          mv kustomize /custom-tools/;
          echo "Done.";
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
  volumeMounts:
    - mountPath: /usr/local/bin/kustomize
      name: custom-tools
      subPath: kustomize
    - mountPath: /usr/local/bin/ksops
      name: custom-tools
      subPath: ksops
    - name: sops-age
      mountPath: /.config/sops/age

Create a kustomization.yaml file:

# kustomization.yaml
---

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

generators:
  - ksops.yaml

Create a ksops.yaml file:

# ksops.yaml
---

apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: example-secret-generator
  annotations:
    config.kubernetes.io/function: |
      exec:
        path: ksops
files:
  - secret.enc.yaml

Create and encrypt your secret:

Define your secret in secret.yaml:

# secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  password: dXNlcjpwYXNzd29yZA==

Encrypt the secret using sops:

sops -e secret.yaml > secret.enc.yaml

Test your setup locally:

kustomize build --enable-alpha-plugins --enable-exec .

If you see the decrypted secret, you're all set! If not, double-check that your environment variables point to the correct decryption key. Once everything is in place, you can push your configuration to GitHub and deploy it to your cluster, where ArgoCD will handle the decryption and deployment seamlessly.

Published by:

Member discussion