Managing Encrypted Configuration with SOPS

Encrypting sensitive data is crucial for secure deployments, even in local environments.? We'll cover encrypting secrets with SOPS and storing them securely in Minikube.

Prerequisites

To follow this tutorial, you will need:

1. Basic knowledge of the command-line.
2. A Minikube environment set up. You can install Minikube following the official instructions.
3. kubectl installed and configured to interact with Minikube.
4. SOPS installed on your local machine. Installation Guide.
5. A working kubectl context for Minikube:

kubectl config use-context minikube        

Step 1: Setting Up Minikube

Ensure your Minikube cluster is running:

minikube start        

Verify your cluster setup:

kubectl cluster-info?        

Step 2: Creating a Sample Configuration File

Let's create a sample YAML configuration (config.yaml) file with sensitive data:

apiVersion: v1
kind: Config
metadata:
  name: my-config
spec:
  username: admin
  password: supersecretpassword
  db_host: database.local
  db_port: 5432        

Step 3: Encrypting the Configuration File with SOPS

For local development, we'll use the age encryption format with SOPS. It's lightweight, quick, and doesn't require cloud-based KMS services.

Using age for Local Encryption:

1. Install age if you haven't already:

# MacOS
brew install age  

# Linux
sudo apt-get install age  

# Windows
choco install age.portable          

2. Generate an age key pair and export the location:

age-keygen -o age-key.txt        

export SOPS_AGE_KEY_FILE=$PWD/age-key.txt        

3. Add the public key from age-key.txt to the SOPS configuration file (.sops.yaml):

?.sops.yaml:

?creation_rules:
  - age: <PASTE_YOUR_PUBLIC_AGE_KEY_HERE>        

To get the public key, use:

cat age-key.txt | grep "^#" | cut -d " " -f4        

4. Encrypt the YAML file using age:

sops --encrypt --age $(cat age-key.txt | grep "^#" | cut -d " " -f4) config.yaml > encrypted-config.yaml        

Now, encrypted-config.yaml contains the encrypted content.

Step 4: Decrypting and Using Encrypted Files in Minikube

To deploy encrypted secrets to Kubernetes, you’ll need to:

1. Decrypt the file.
2. Create a Kubernetes Secret from the decrypted content.

Here's how to proceed:

1. Decrypt and Create a Kubernetes Secret:

sops --decrypt encrypted-config.yaml > decrypted-config.yaml
kubectl create secret generic my-config-secret --from-file=decrypted-config.yaml        

2. View the Created Secret:

kubectl get secret my-config-secret -o yaml        

3. Mounting the Secret to a Pod:

Create a Pod spec to utilize the secret:

my-pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-container
    image: nginx
    volumeMounts:
    - name: config-volume
      mountPath: /etc/config
      readOnly: true
  volumes:
  - name: config-volume
    secret:
      secretName: my-config-secret        

Deploy the Pod:

kubectl apply -f my-pod.yaml        

4. Verifying the Secret in the Pod:

You can verify that the secret is correctly mounted in the Pod:

kubectl exec my-app -- ls /etc/config        

Step 5: Managing Encrypted Secrets in Git

To manage encrypted files with Git, follow these best practices:

1. Store encrypted files, like encrypted-config.yaml, in your version control.

2. Ignore decrypted files with .gitignore:

.gitignore:

# Ignore decrypted files
decrypted-config.yaml        

3. Commit SOPS configuration (.sops.yaml) to Git for team collaboration.

Step 6: Automating Secret Management with CI/CD

Automating secrets in CI/CD for a local Minikube cluster:

1. Set up the CI environment to have access to the age key:

• Store the private key securely in your CI environment.
• For example, if using GitHub Actions, add the private key as a secret.

2. Use the key to decrypt the file and apply it to Minikube:

Example CI Workflow (GitHub Actions):

name: Deploy to Minikube

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v2

    - name: Set up kubectl
      uses: azure/setup-kubectl@v2
      with:
        version: 'latest'

    - name: Start Minikube
      run: |
        curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
        sudo install minikube-linux-amd64 /usr/local/bin/minikube
        sudo minikube start --driver=docker

    - name: Decrypt config with SOPS
      env:
        SOPS_AGE_KEY_FILE: ./age-key.txt
      run: |
        sops --decrypt encrypted-config.yaml > decrypted-config.yaml

    - name: Apply Kubernetes Secret
      run: |
        kubectl create secret generic my-config-secret --from-file=decrypted-config.yaml
        kubectl apply -f my-pod.yaml        

Conclusion

You can now manage encrypted configuration files using SOPS within a local Kubernetes environment like Minikube. SOPS is a versatile tool that integrates seamlessly with different workflows, whether you're encrypting secrets locally or in cloud environments. Using age provides an efficient way to handle secrets securely without relying on cloud-based KMS solutions.