Home

Awesome

kustomize-age is a plugin for kustomize that allows the user to keep local files encrypted with age that are decrypted before being used as files inside a kubernetes Secret.

Unlike kustomize-sops it does not encrypt the whole Secret yaml file, but just the files mentioned in the Secret's files attribute.

Use

First, run make install and it will build this as a Go plugin and install it into your $XDG_CONFIG_HOME. (The Makefile is small, so you can read it to see exactly what it's doing.)

Then, you'll create your Secret yaml file normally but with a few changes:

Those .age file paths will be the file paths you wanted included in the Secret but encrypted with the age key specified.

By default, the age key used to decrypt these files is expected to be in the KUBE_AGE_KEY environment variable. The environment variable used can be overrided by setting the ageKeyEnvVar in the OndiskEncryptedSecret.

Example

Supposing you have a file path you want in your secret at mycredentials.key.age

$ ls
mycredentials.key.age mycredentials.yaml

$ cat mycredentials.yaml
apiVersion: kustomize-age/v1
kind: OndiskEncryptedSecret
metadata:
    name: some-svc-credentials
files:
    - mycredentials.key

# likely, you'll want to delete this next line and use the
# default KUBE_AGE_KEY env var.
ageKeyEnvVar: ANOTHER_ENV_VAR

Caveat

As with many Go plugins, you may have to fork this repo and adjust its go.mod in order to correct package mismatches with your kustomize binary.