Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jmhodges/kustomize-age

A kustomize plugin for using age encrypted files in Secrets
https://github.com/jmhodges/kustomize-age

Last synced: 18 days ago
JSON representation

A kustomize plugin for using age encrypted files in Secrets

Host: GitHub
URL: https://github.com/jmhodges/kustomize-age
Owner: jmhodges
License: apache-2.0
Created: 2020-09-11T10:33:14.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2024-04-19T15:28:58.000Z (8 months ago)
Last Synced: 2024-11-17T17:42:42.737Z (25 days ago)
Language: Go
Size: 229 KB
Stars: 13
Watchers: 3
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-age - kustomize-age

README

kustomize-age is a plugin for `kustomize` that allows the user to keep local
files encrypted with `age` that are decrypted before being used as `files`
inside a kubernetes `Secret`.

Unlike kustomize-sops it does not encrypt the whole `Secret` yaml file, but just
the files mentioned in the `Secret`'s `files` attribute.

Use
===

First, run `make install` and it will build this as a Go plugin and install it
into your `$XDG_CONFIG_HOME`. (The Makefile is small, so you can read it to see
exactly what it's doing.)

Then, you'll create your `Secret` yaml file normally but with a few changes:

* `apiVersion` should be set to `apiVersion: kustomize-age/v1`
* `kind` should be set to `OndiskEncryptedSecret` instead of `Secret` (though,
the final object that's added to your k8s cluster will be a `Secret`).
* `files` should be the file paths you want decrypted and stored in the `Secret`
without the `.age` suffix on them. For example, a `mycredentials.key` in
`files` of the `OndiskEncryptedSecret` will correspond to the age encrypted
file on disk at `mycredentials.key.age`)

Those `.age` file paths will be the file paths you wanted included in the
`Secret` but encrypted with the `age` key specified.

By default, the `age` key used to decrypt these files is expected to be in the
`KUBE_AGE_KEY` environment variable. The environment variable used can be
overrided by setting the `ageKeyEnvVar` in the `OndiskEncryptedSecret`.

Example
=======

Supposing you have a file path you want in your secret at
`mycredentials.key.age`

```
$ ls
mycredentials.key.age mycredentials.yaml

$ cat mycredentials.yaml
apiVersion: kustomize-age/v1
kind: OndiskEncryptedSecret
metadata:
name: some-svc-credentials
files:
- mycredentials.key

# likely, you'll want to delete this next line and use the
# default KUBE_AGE_KEY env var.
ageKeyEnvVar: ANOTHER_ENV_VAR
```

Caveat
======
As with many Go plugins, you may have to fork this repo and adjust its `go.mod`
in order to correct package mismatches with your `kustomize` binary.