Skip to main content

Secrets

Important

Never commit plain text secrets to git.

SOPS and Age are used to encrypt secrets before committing them to git.

Install

# Install sops
curl -LO https://github.com/getsops/sops/releases/download/v3.9.2/sops-v3.9.2.linux.amd64
sudo mv sops-v3.9.2.linux.amd64 /usr/local/bin/sops
sudo chmod +x /usr/local/bin/sops

# Install age
sudo apt install -y age

CLI commands

# Generate a key pair
age-keygen -o age.key

# Set environment variable to the path of the key file
# sops will use this key to encrypt/decrypt files
# VSCode extension and Terraform will also use this env variable
export SOPS_AGE_KEY_FILE=age.key

# Encrypt a file
sops -e secrets.yaml > secrets.yaml.enc

# Decrypt a file
sops -d secrets.yaml.enc

VSCode

VSCode has an extension to edit encrypted files directly in the editor.

Terraform Provider

For Terraform, sops provider can be used to decrypt the secrets inside the code.

Example

I need to pass in the PVE username and password to the Terraform provider, so I created this encrypted yaml file. In the Terraform code, I can decrypt and use them normally:

terraform {
  required_providers {
    proxmox = {
      source  = "bpg/proxmox"
      version = "~> 0.69.0"
    }
    local = {
      source  = "hashicorp/local"
      version = "~> 2.5.2"
    }
    sops = {
      source  = "carlpett/sops"
      version = "~> 1.1.1"
    }
  }
}

provider "sops" {}

data "sops_file" "secrets" {
  # path to the encrypted file
  source_file = "${path.module}/secrets-tf.enc.yaml"
}

locals {
  # decrypt the secrets to local variables
  pve_endpoint    = data.sops_file.secrets.data["pve_endpoint"]
  pve_username    = data.sops_file.secrets.data["pve_username"]
  pve_password    = data.sops_file.secrets.data["pve_password"]
}

provider "proxmox" {
  # use the local variables
  endpoint = local.pve_endpoint
  username = local.pve_username
  password = local.pve_password
  insecure = true
}

K3s Cluster

I handle secrets differently in my K3s cluster because I couldn't get SOPS to work with it. Instead, I use External Secrets Operator (ESO) and Doppler to manage my cluster secrets.

In my git repo, I keep an encrypted Doppler token in settings/k3s/. I first decrypt it and apply it to the cluster as a secret. Then ESO can fetch the secrets from Doppler whenever they're needed.

sops -d remote-secret.enc.yaml | kubectl apply -f -
Last updated on by Viet Le