Awesome
kustomize-age is a plugin for kustomize
that allows the user to keep local
files encrypted with age
that are decrypted before being used as files
inside a kubernetes Secret
.
Unlike kustomize-sops it does not encrypt the whole Secret
yaml file, but just
the files mentioned in the Secret
's files
attribute.
Use
First, run make install
and it will build this as a Go plugin and install it
into your $XDG_CONFIG_HOME
. (The Makefile is small, so you can read it to see
exactly what it's doing.)
Then, you'll create your Secret
yaml file normally but with a few changes:
apiVersion
should be set toapiVersion: kustomize-age/v1
kind
should be set toOndiskEncryptedSecret
instead ofSecret
(though, the final object that's added to your k8s cluster will be aSecret
).files
should be the file paths you want decrypted and stored in theSecret
without the.age
suffix on them. For example, amycredentials.key
infiles
of theOndiskEncryptedSecret
will correspond to the age encrypted file on disk atmycredentials.key.age
)
Those .age
file paths will be the file paths you wanted included in the
Secret
but encrypted with the age
key specified.
By default, the age
key used to decrypt these files is expected to be in the
KUBE_AGE_KEY
environment variable. The environment variable used can be
overrided by setting the ageKeyEnvVar
in the OndiskEncryptedSecret
.
Example
Supposing you have a file path you want in your secret at
mycredentials.key.age
$ ls
mycredentials.key.age mycredentials.yaml
$ cat mycredentials.yaml
apiVersion: kustomize-age/v1
kind: OndiskEncryptedSecret
metadata:
name: some-svc-credentials
files:
- mycredentials.key
# likely, you'll want to delete this next line and use the
# default KUBE_AGE_KEY env var.
ageKeyEnvVar: ANOTHER_ENV_VAR
Caveat
As with many Go plugins, you may have to fork this repo and adjust its go.mod
in order to correct package mismatches with your kustomize
binary.