Simple Kustomize plugin to decrypt sops-encrypted yaml files

This plugin is designed to be simpler alternative to KSOPS. It's main target is to be used with ArgoCD.

Installation with kustomize

This repo contains Kustomize component you can use to install this plugin in argocd. Add this to your argocd's kustomization.yaml

components:
- https://github.com/KoHcoJlb/kustomize-sops//argocd?ref=v0.1.0

Also, you need to mount corresponding private keys or environment variables into argocd-repo-server container.

Example for age (for other key types see SOPS documentation)

repo-server.yaml (patchesStrategicMerge)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-repo-server
spec:
  template:
    spec:
      containers:
      - name: argocd-repo-server
        volumeMounts:
        - mountPath: /home/argocd/.config/sops/age/
          name: sops-age-keys
      volumes:
      - name: sops-age-keys
        secret:
          secretName: sops-age-keys

sops-age-keys.yaml (resources)

apiVersion: v1
kind: Secret
metadata:
  name: sops-age-keys
  namespace: argocd
stringData:
  keys.txt: |
    AGE-SECRET-KEY-1EXA40TQ9U7Q544USTEZGDFY2WJ6CFNQU5V0YTECE0QW63AYNT6DS2JWV2P

Usage

Just add this to your kustomization

transformers:
- https://github.com/KoHcoJlb/kustomize-sops//transformer

Note

MAC verification is disabled in this plugin as it conflicts with kustomize transformations.

Other projects

KSOPS