{"id":13798233,"url":"https://github.com/goabout/kustomize-sopssecretgenerator","last_synced_at":"2026-01-14T19:31:19.333Z","repository":{"id":35111937,"uuid":"208046421","full_name":"goabout/kustomize-sopssecretgenerator","owner":"goabout","description":"Kustomize generator plugin that generates Secrets from sops-encrypted files","archived":false,"fork":false,"pushed_at":"2024-04-11T09:29:01.000Z","size":268,"stargazers_count":116,"open_issues_count":4,"forks_count":16,"subscribers_count":11,"default_branch":"master","last_synced_at":"2026-01-04T03:15:49.376Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/goabout.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-09-12T12:29:58.000Z","updated_at":"2025-10-31T23:41:29.000Z","dependencies_parsed_at":"2024-06-18T22:37:06.670Z","dependency_job_id":"fc6f3bb5-8e3b-4318-a8bb-2cc88955fccf","html_url":"https://github.com/goabout/kustomize-sopssecretgenerator","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/goabout/kustomize-sopssecretgenerator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goabout%2Fkustomize-sopssecretgenerator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goabout%2Fkustomize-sopssecretgenerator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goabout%2Fkustomize-sopssecretgenerator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goabout%2Fkustomize-sopssecretgenerator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/goabout","download_url":"https://codeload.github.com/goabout/kustomize-sopssecretgenerator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goabout%2Fkustomize-sopssecretgenerator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28301278,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-11T08:21:30.231Z","status":"ssl_error","status_checked_at":"2026-01-11T08:21:26.882Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T00:00:40.751Z","updated_at":"2026-01-14T19:31:19.315Z","avatar_url":"https://github.com/goabout.png","language":"Go","funding_links":[],"categories":["Plugins","others"],"sub_categories":["Generators"],"readme":"# kustomize-sopssecretgenerator\n\n[![Build Status](https://travis-ci.org/goabout/kustomize-sopssecretgenerator.svg?branch=master)](https://travis-ci.org/goabout/kustomize-sopssecretgenerator)\n[![Go Report Card](https://goreportcard.com/badge/github.com/goabout/kustomize-sopssecretgenerator)](https://goreportcard.com/report/github.com/goabout/kustomize-sopssecretgenerator)\n[![Codecov](https://img.shields.io/codecov/c/github/goabout/kustomize-sopssecretgenerator)](https://codecov.io/gh/goabout/kustomize-sopssecretgenerator)\n[![Latest Release](https://img.shields.io/github/v/release/goabout/kustomize-sopssecretgenerator?sort=semver)](https://github.com/goabout/kustomize-sopssecretgenerator/releases/latest)\n[![License](https://img.shields.io/github/license/goabout/kustomize-sopssecretgenerator)](https://github.com/goabout/kustomize-sopssecretgenerator/blob/master/LICENSE)\n\nSecretGenerator ❤ sops\n\n\n## Why use this?\n\n[Kustomize](https://github.com/kubernetes-sigs/kustomize) is a great tool for implementing a [GitOps](https://www.weave.works/blog/gitops-operations-by-pull-request) workflow. When a repository describes the entire system state, it often contains secrets that need to be encrypted at rest. Mozilla's [sops](https://github.com/mozilla/sops) is a simple and flexible tool that is very suitable for that task.\n\nThis Kustomize plugin allows you to create Secrets transparently from sops-encrypted files during resource generation. It is explicitly modeled after the builtin [SecretGenerator](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/plugins/builtins.md#secretgenerator) plugin. Because it is an exec plugin, it is not tied to the specific compilation of Kustomize, [like Go plugins are](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/plugins/goPluginCaveats.md).\n\nSince version 1.5.0, the plugin can be used as a [KRM Function](https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/docs/api-conventions/functions-spec.md).\n\nCredit goes to [Seth Pollack](https://github.com/sethpollack) for the [Kustomize Secret Generator Plugins KEP](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/kustomize-secret-generator-plugins.md) and subsequent implementation that made this possible.\n\n\n## Installation\n\n\nSopsSecretGenerator is available as a binary, or as a Docker image.\n\n### Binary\n\nDownload the `SopsSecretGenerator` binary for your platform from the [GitHub releases page](https://github.com/goabout/kustomize-sopssecretgenerator/releases) and make it executable.\n\nFor example, to install version 1.6.0 on Linux:\n```bash\nVERSION=1.6.0 PLATFORM=linux ARCH=amd64\ncurl -Lo SopsSecretGenerator \"https://github.com/goabout/kustomize-sopssecretgenerator/releases/download/v${VERSION}/SopsSecretGenerator_${VERSION}_${PLATFORM}_${ARCH}\"\nchmod +x SopsSecretGenerator\n```\n\nYou do not need to install the `sops` binary for the plugin to work. The plugin includes and calls sops internally.\n\n\n### Docker image\n\nSee the [goabout/kustomize-sopssecretgenerator](https://hub.docker.com/repository/docker/goabout/kustomize-sopssecretgenerator) image at Docker Hub.\n\n\n## Usage\n\nCreate some encrypted values using `sops`:\n```bash\necho FOO=secret \u003esecret-vars.env\nsops -e -i secret-vars.env\n\necho secret \u003esecret-file.txt\nsops -e -i secret-file.txt\n```\n\n\n### Exec KRM Function\n\nAlthough the generator can run in a Docker container, any real usage requires to access to local resources such as the filesystem or a PGP socket. This example calls the binary directly.\n\nAdd a generator to your kustomization:\n```bash\ncat \u003c\u003c. \u003ekustomization.yaml\ngenerators:\n - generator.yaml\n.\n\ncat \u003c\u003c. \u003egenerator.yaml\napiVersion: goabout.com/v1beta1\nkind: SopsSecretGenerator\nmetadata:\n annotations:\n config.kubernetes.io/function: |\n exec:\n path: ./SopsSecretGenerator\n name: my-secret\nenvs:\n - secret-vars.env\nfiles:\n - secret-file.txt\n.\n```\n\n(Change the path to the `SopsSecretGenerator` binary to suit your installation. Kustomize will use the binary search path, `$PATH`, if you use a bare command.)\n\nRun `kustomize build` with the `--enable-alpha-plugins` and `--enable-exec` flags:\n\n```bash\nkustomize build --enable-alpha-plugins --enable-exec\n```\n \nThe output is a Kubernetes secret containing the decrypted data:\n```yaml\napiVersion: v1\ndata:\n FOO: J3NlY3JldCc=\n secret-file.txt: c2VjcmV0Cg==\nkind: Secret\nmetadata:\n name: my-secret-6d2fchb89d\n```\n\n\n### Legacy Plugin\n\nFirst, install the plugin to `$XDG_CONFIG_HOME`: (By default, `$XDG_CONFIG_HOME` points to `$HOME/.config` on Linux and OS X, and `%LOCALAPPDATA%` on Windows.)\n```bash\nmkdir -p \"${XDG_CONFIG_HOME:-$HOME/.config}/kustomize/plugin/goabout.com/v1beta1/sopssecretgenerator\"\nmv SopsSecretGenerator \"${XDG_CONFIG_HOME:-$HOME/.config}/kustomize/plugin/goabout.com/v1beta1/sopssecretgenerator\"\n```\n\nAdd a generator to your kustomization:\n```bash\ncat \u003c\u003c. \u003ekustomization.yaml\ngenerators:\n - generator.yaml\n.\n\ncat \u003c\u003c. \u003egenerator.yaml\napiVersion: goabout.com/v1beta1\nkind: SopsSecretGenerator\nmetadata:\n name: my-secret\nenvs:\n - secret-vars.env\nfiles:\n - secret-file.txt\n.\n```\n\n\n### Generator Options\n\nLike SecretGenerator, SopsSecretGenerator supports the [generatorOptions](https://kubernetes-sigs.github.io/kustomize/api-reference/kustomization/generatoroptions/) fields. Additionally, labels and annotations are copied over to the Secret. Data key-values (\"envs\") can be read from dotenv, INI, YAML and JSON files. If the data is a file and the Secret data key needs to be different from the filename, you can specify the key by adding `desiredKey=filename` instead of just the filename.\n\nAn example showing all options:\n\n apiVersion: goabout.com/v1beta1\n kind: SopsSecretGenerator\n metadata:\n name: my-secret\n labels:\n app: my-app\n annotations:\n create-by: me\n behavior: create\n disableNameSuffixHash: true\n envs:\n - secret-vars.env\n - secret-vars.ini\n - secret-vars.yaml\n - secret-vars.json\n files:\n - secret-file1.txt\n - secret-file2.txt=secret-file2.sops.txt\n type: Opaque\n\n\n## Using SopsSecretsGenerator with ArgoCD\n\nSopsSecretGenerator can be added to ArgoCD by [patching](./docs/argocd.md) an initContainer into the ArgoCD provided `install.yaml`.\n\n\n## Alternatives\n\nThere are a number of other plugins that can serve the same function:\n\n* [viaduct-ai/kustomize-sops](https://github.com/viaduct-ai/kustomize-sops)\n* [Agilicus/kustomize-sops](https://github.com/Agilicus/kustomize-sops)\n* [barlik/kustomize-sops](https://github.com/barlik/kustomize-sops)\n* [monopole/sopsencodedsecrets](https://github.com/monopole/sopsencodedsecrets)\n* [omninonsense/kustomize-sopsgenerator](https://github.com/omninonsense/kustomize-sopsgenerator)\n* [whatever-company/secretgen](https://github.com/whatever-company/secretgen)\n\nAdditionally, there are other ways to use sops-encrypted secrets in Kubernetes:\n\n* [isindir/sops-secrets-operator](https://github.com/isindir/sops-secrets-operator)\n* [craftypath/sops-operator](https://github.com/craftypath/sops-operator)\n* [jkroepke/helm-secrets](https://github.com/jkroepke/helm-secrets)\n* [dschniepp/sealit](https://github.com/dschniepp/sealit)\n\nMost of these projects are in constant development. I invite you to check them out and pick the project that best fits your goals.\n\n\n## Development\n\nYou will need [Go](https://golang.org) 1.17 or higher to develop and build the plugin.\n\n\n### Test\n\nRun all tests:\n\n make test\n\nIn order to create encrypted test data, you need to import the secret key from `testdata/keyring.gpg` into your GPG keyring once:\n\n cd testdata\n gpg --import keyring.gpg\n \nYou can then use `sops` to create encrypted files:\n\n sops -e -i newfile.txt\n\n\n### Build\n\nCreate a binary for your system:\n\n make\n \nThe resulting executable will be named `SopsSecretGenerator`.\n\n\n### Release\n\nThis project uses GitHub Actions and [goreleaser](https://goreleaser.com) to publish releases on GitHub.\n\nFirst, don't forget to update the documentation for the new version you are going to release.\n\nThen create a Git tag for the release:\n\n VERSION=X.X.X\n git tag -a v$VERSION -m \"Version $VERSION\"\n\nAnd push it to GitHub:\n\n git push\n\nThe GitHub Actions workflow will build and release the binaries automatically.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoabout%2Fkustomize-sopssecretgenerator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoabout%2Fkustomize-sopssecretgenerator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoabout%2Fkustomize-sopssecretgenerator/lists"}