### Build and Install Operators Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Installs required operators and the operator within a KinD Cluster. Downloads necessary binaries. ```shell make e2e-build ``` -------------------------------- ### Install Helm Chart Source: https://github.com/peak-scale/sops-operator/blob/main/charts/sops-operator/README.md Installs the SOPS Operator Helm chart from a specified OCI registry. ```bash $ helm install sops-operator oci://ghcr.io/peak-scale/charts/sops-operator -n secrets-system ``` -------------------------------- ### Example SopsSecret Definition Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md An example of a GlobalSopsSecret definition with multiple secrets, demonstrating different configurations for name, namespace, labels, annotations, stringData, and data. ```yaml apiVersion: addons.projectcapsule.dev/v1alpha1 kind: GlobalSopsSecret metadata: name: example-secret spec: secrets: - name: my-secret-name-1 namespace: solar-namespace-1 labels: label1: value1 stringData: data-name0: data-value0 data: data-name1: ZGF0YS12YWx1ZTE= - name: jenkins-test-secret namespace: solar-namespace-2 labels: "jenkins.io/credentials-type": "usernamePassword" annotations: "jenkins.io/credentials-description": "credentials from Kubernetes" stringData: username: myUsername password: 'Pa$$word' - name: docker-test-login namespace: solar-namespace-3 type: 'kubernetes.io/dockerconfigjson' stringData: .dockerconfigjson: '{"auths":{"index.docker.io":{"username":"imyuser","password":"mypass","email":"myuser@abc.com","auth":"aW15dXNlcjpteXBhc3M="}}}' ``` -------------------------------- ### SopsProvider Custom Resource Example Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md An example of a SopsProvider Custom Resource definition in YAML format. This resource connects private keys to SopsSecrets based on namespace selectors and labels. ```yaml apiVersion: addons.projectcapsule.dev/v1alpha1 kind: SopsProvider metadata: name: solar-provider spec: keys: - namespaceSelector: matchLabels: capsule.clastix.io/tenant: solar sops: - namespaceSelector: matchLabels: capsule.clastix.io/tenant: solar ``` -------------------------------- ### SopsSecret Custom Resource Example Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md An example of a SopsSecret custom resource definition in YAML format. ```yaml apiVersion: addons.projectcapsule.dev/v1alpha1 kind: SopsSecret metadata: name: example-secret spec: secrets: - name: my-secret-name-1 labels: label1: value1 stringData: data-name0: data-value0 data: data-name1: ZGF0YS12YWx1ZTE= - name: jenkins-test-secret labels: "jenkins.io/credentials-type": "usernamePassword" annotations: "jenkins.io/credentials-description": "credentials from Kubernetes" stringData: username: myUsername password: 'Pa$$word' - name: docker-test-login type: 'kubernetes.io/dockerconfigjson' stringData: .dockerconfigjson: '{"auths":{"index.docker.io":{"username":"imyuser","password":"mypass","email":"myuser@abc.com","auth":"aW15dXNlcjpteXBhc3M="}}}' ``` -------------------------------- ### Prometheus Metrics Examples Source: https://github.com/peak-scale/sops-operator/blob/main/docs/monitoring.md Examples of custom Prometheus metrics provided by the sops-operator, including provider, secret, and global secret conditions. ```shell # HELP sops_provider_condition The current condition status of a Provider. # TYPE sops_provider_condition gauge sops_provider_condition{name="sample-provider",status="NotReady"} 0 sops_provider_condition{name="sample-provider",status="Ready"} 1 # HELP sops_secret_condition The current condition status of a Secret. # TYPE sops_secret_condition gauge sops_secret_condition{name="secret-key-1",namespace="default",status="NotReady"} 0 sops_secret_condition{name="secret-key-1",namespace="default",status="Ready"} 1 # HELP sops_global_secret_condition The current condition status of a Global Secret. # TYPE sops_global_secret_condition gauge sops_global_secret_condition{name="global-secret-key-1",status="NotReady"} 1 sops_global_secret_condition{name="global-secret-key-1",status="Ready"} 0 ``` -------------------------------- ### Encrypted SopsSecret Example Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md An example of an encrypted SopsSecret file, showing encrypted strings in data and stringData fields, and additional encryption information in the .spec.sops part. ```yaml --- apiVersion: addons.projectcapsule.dev/v1alpha1 kind: GlobalSopsSecret metadata: name: example-secret spec: secrets: - name: my-secret-name-1 namespace: solar-namespace-1 labels: label1: value1 stringData: data-name0: ENC[AES256_GCM,data:rzeUm9qWZZoZPo8=,iv:VYKdM8RYW5ksLWdGiq3GF4g9GQDwyBVSsujf/SaqmO4=,tag:5+PHfnV+269GmG4nBmLWMA==,type:str] data: data-name1: ENC[AES256_GCM,data:2JWdH24EMdKkBjlvFbHlRg==,iv:H1wRXMjXmF4ZPn8h3SxSWmQDvwcGh3KErXHUxbkz6PM=,tag:HnV79rychvI4CZJotp8mNQ==,type:str] - name: jenkins-test-secret namespace: solar-namespace-2 labels: jenkins.io/credentials-type: usernamePassword annotations: jenkins.io/credentials-description: credentials from Kubernetes stringData: username: ENC[AES256_GCM,data:FJzExzetwQKWhA==,iv:kT2DpN+fuhAmLN1FtgPR6JjC5uQtUnpUYRHz1Q/9hJs=,tag:R+WyLU0R6kGE8/6buwcN7Q==,type:str] password: ENC[AES256_GCM,data:v4+8eyfUw5A=,iv:ib0VCmSTs6alRot3MVl5fa0x3jN/xTkiLghzOPrxKB8=,tag:l+fjDZEhCNO6uc6b145Emw==,type:str] - name: docker-test-login namespace: solar-namespace-3 type: kubernetes.io/dockerconfigjson stringData: .dockerconfigjson: ENC[AES256_GCM,data:d4/wjjm43GD/dUU2aVvSQf8BANBq3Y++DKFqHWyRFC5QVG5gC1EU8GIHn1N1IGgbSM+cX3G4M3OVQlDNzjmH6TmIID6yiqnSt5XhVocoWHRiBFE8KFqphkrIqLqOKZxJMfZWvbQ7ncuV9Jv1/mo6vpG8B4dqeWC9sUi4URH40A==,iv:wXcp/hD9OPOw0s0kFiGeRyaZZt9ffST/rikS9qp6tYo=,tag:1WWHAjq1lRgfUd9HUS5bkg==,type:str] sops: age: - recipient: age10t4z6kr0nfl7xxwrwtj9ehfl7wkp7kdy2whlpmzannppqhvfu3lsyjxqjm enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VDZnMUJ5YXlndStRWlRu QnNGWmtkd016MjhOMTFXQURaRTg0cXRLNWc0CmNCRUxqdDRjQkNTWWw2RFdMZXJW SHNpWTZvWlQ4ZnpLdnVlblF5YW44eUEKLS0tIHJ3akJjeGRCTmJETlRqVmtjTTY3 SmdPTms3TnZqc2ZDdm1KclhNWnJhOWcKwWXCTacYOynueHUeQX5ByTmajItT8NnJ Hfe3I4NZ72p/MbnfzmZWBFOR5ANJZ+we6vUnz1fair9MdyvQV+uhxA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-05-15T07:01:38Z" mac: ENC[AES256_GCM,data:KxCP0JXws5+u2c7F1Hdek8mn51Ld5su+meB0nLUzPZoOR0VfSm2mTveGkz8/OsO3u8Uo9OM4dUbd+zsnYjhL6t11Eok8ePVvzkYthYQBpPtWXFLnkobpOTMWVP7FUlmTVwFIwGuUC4Wh8LaPF/jYkXowF9mylhjJLURRVM1u+3U=,iv:u3hgRmvhHB84HR4bNuPUHfYHktGXzbe4zerXftOoY54=,tag:zJTpxyJJ532DkPHSwhorog==,type:str] version: 3.10.2 ``` -------------------------------- ### Example SopsSecret YAML definition Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md A YAML manifest defining a SopsSecret with multiple secrets, including stringData and data fields, and specifying age encryption. ```yaml --- apiVersion: addons.projectcapsule.dev/v1alpha1 kind: SopsSecret metadata: name: example-secret namespace: solar-namespace-2 spec: secrets: - name: my-secret-name-1 labels: label1: value1 stringData: data-name0: ENC[AES256_GCM,data:rzeUm9qWZZoZPo8=,iv:VYKdM8RYW5ksLWdGiq3GF4g9GQDwyBVSsujf/SaqmO4=,tag:5+PHfnV+269GmG4nBmLWMA==,type:str] data: data-name1: ENC[AES256_GCM,data:2JWdH24EMdKkBjlvFbHlRg==,iv:H1wRXMjXmF4ZPn8h3SxSWmQDvwcGh3KErXHUxbkz6PM=,tag:HnV79rychvI4CZJotp8mNQ==,type:str] - name: jenkins-test-secret labels: jenkins.io/credentials-type: usernamePassword annotations: jenkins.io/credentials-description: credentials from Kubernetes stringData: username: ENC[AES256_GCM,data:FJzExzetwQKWhA==,iv:kT2DpN+fuhAmLN1FtgPR6JjC5uQtUnpUYRHz1Q/9hJs=,tag:R+WyLU0R6kGE8/6buwcN7Q==,type:str] password: ENC[AES256_GCM,data:v4+8eyfUw5A=,iv:ib0VCmSTs6alRot3MVl5fa0x3jN/xTkiLghzOPrxKB8=,tag:l+fjDZEhCNO6uc6b145Emw==,type:str] - name: docker-test-login type: kubernetes.io/dockerconfigjson stringData: .dockerconfigjson: ENC[AES256_GCM,data:d4/wjjm43GD/dUU2aVvSQf8BANBq3Y++DKFqHWyRFC5QVG5gC1EU8GIHn1N1IGgbSM+cX3G4M3OVQlDNzjmH6TmIID6yiqnSt5XhVocoWHRiBFE8KFqphkrIqLqOKZxJMfZWvbQ7ncuV9Jv1/mo6vpG8B4dqeWC9sUi4URH40A==,iv:wXcp/hD9OPOw0s0kFiGeRyaZZt9ffST/rikS9qp6tYo=,tag:1WWHAjq1lRgfUd9HUS5bkg==,type:str] sops: age: - recipient: age10t4z6kr0nfl7xxwrwtj9ehfl7wkp7kdy2whlpmzannppqhvfu3lsyjxqjm enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VDZnMUJ5YXlndStRWlRu QnNGWmtkd016MjhOMTFXQURaRTg0cXRLNWc0CmNCRUxqdDRjQkNTWWw2RFdMZXJW SHNpWTZvWlQ4ZnpLdnVlblF5YW44eUEKLS0tIHJ3akJjeGRCTmJETlRqVmtjTTY3 SmdPTms3TnZqc2ZDdm1KclhNWnJhOWcKwWXCTacYOynueHUeQX5ByTmajItT8NnJ Hfe3I4NZ72p/MbnfzmZWBFOR5ANJZ+we6vUnz1fair9MdyvQV+uhxA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-05-15T07:01:38Z" mac: ENC[AES256_GCM,data:KxCP0JXws5+u2c7F1Hdek8mn51Ld5su+meB0nLUzPZoOR0VfSm2mTveGkz8/OsO3u8Uo9OM4dUbd+zsnYjhL6t11Eok8ePVvzkYthYQBpPtWXFLnkobpOTMWVP7FUlmTVwFIwGuUC4Wh8LaPF/jYkXowF9mylhjJLURRVM1u+3U=,iv:u3hgRmvhHB84HR4bNuPUHfYHktGXzbe4zerXftOoY54=,tag:zJTpxyJJ532DkPHSwhorog==,type:str] version: 3.10.2 ``` -------------------------------- ### Build and Install Operators with Specific Kubernetes Version Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Allows specifying a Kubernetes version for the build process. ```shell KIND_K8S_VERSION="v1.31.0" make e2e-build ``` -------------------------------- ### Debugging a NotReady SopsSecret Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Example of a SopsSecret in a NotReady state and the associated error message. ```shell $ kubectl get sopssecret NAME SECRETS STATUS AGE MESSAGE example-secret 0 NotReady 50s secret solar-namespace-2/example-secret has no decryption providers ``` -------------------------------- ### Show Helm Chart Status Source: https://github.com/peak-scale/sops-operator/blob/main/charts/sops-operator/README.md Displays the current status of the installed SOPS Operator Helm chart. ```bash $ helm status sops-operator -n secrets-system ``` -------------------------------- ### Verifying SopsSecret status Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to get the status of the SopsSecret resource. ```shell kubectl get sopssecret -n solar-namespace-2 NAME SECRETS STATUS AGE MESSAGE example-secret 3 Ready 2m56s Reconciliation succeeded ``` -------------------------------- ### Get sops secret status Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to retrieve the status of a deployed sops secret. ```shell kubectl get globalsopssecret example-secret ``` -------------------------------- ### Inspect Docker Image SBOM Source: https://github.com/peak-scale/sops-operator/blob/main/SECURITY.md Command to download and inspect the Software Bill of Materials (SBOM) for the Docker image using cosign. Requires setting COSIGN_REPOSITORY and replacing . ```bash export COSIGN_REPOSITORY=ghcr.io/peak-scale/sops-operator COSIGN_REPOSITORY=ghcr.io/peak-scale/sops-operator cosign download sbom ghcr.io/peak-scale/sops-operator: ``` -------------------------------- ### Set Client Environment Variables Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Sets the VAULT_ADDR and VAULT_TOKEN environment variables for connecting to Vault. ```shell export VAULT_ADDR=http://openbao.openbao.svc.cluster.local:8200 export VAULT_TOKEN=root ``` -------------------------------- ### Inspect Helm Chart SBOM Source: https://github.com/peak-scale/sops-operator/blob/main/SECURITY.md Command to download and inspect the Software Bill of Materials (SBOM) for the Helm chart using cosign. Requires setting COSIGN_REPOSITORY and replacing . ```bash export COSIGN_REPOSITORY=ghcr.io/peak-scale/charts/sops-operator COSIGN_REPOSITORY=ghcr.io/peak-scale/sops-operator cosign download sbom ghcr.io/peak-scale/charts/sops-operator: ``` -------------------------------- ### CPU Profiling with PProf Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Collects and analyzes CPU profiles using PProf. ```shell curl -s "http://127.0.0.1:8082/debug/pprof/profile" > ./cpu-profile.out go tool pprof -http=:8080 ./cpu-profile.out ``` -------------------------------- ### Verify Docker Image Provenance (SLSA Level 3) Source: https://github.com/peak-scale/sops-operator/blob/main/SECURITY.md Command to verify the SLSA provenance of the Docker image using cosign. Requires replacing with the actual release tag. ```bash cosign verify-attestation --type slsaprovenance \ --certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ ghcr.io/peak-scale/sops-operator: | jq .payload -r | base64 --decode | jq ``` -------------------------------- ### Verify Helm Chart Provenance (SLSA Level 3) Source: https://github.com/peak-scale/sops-operator/blob/main/SECURITY.md Command to verify the SLSA provenance of the Helm chart using cosign. Requires replacing with the actual release tag. ```bash VERSION= cosign verify-attestation --type slsaprovenance \ --certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ "ghcr.io/peak-scale/charts/sops-operator:${VERSION}" | jq .payload -r | base64 --decode | jq ``` -------------------------------- ### Listing created secrets Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to list the actual Kubernetes secrets created from the SopsSecret. ```shell kubectl get secret -n solar-namespace-2 NAME TYPE DATA AGE docker-test-login Opaque 1 105s jenkins-test-secret Opaque 2 105s my-secret-name-1 Opaque 2 106s ``` -------------------------------- ### Import GnuPG public key Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Imports a GnuPG public key from a file into the local keyring, allowing team members to encrypt secrets. ```shell gpg --import .sops.pub.asc ``` -------------------------------- ### SopsProvider with Generic Selectors Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md An alternative SopsProvider configuration that uses generic selectors, allowing any resource with the required label to be matched. ```yaml spec: keys: - matchLabels: {} sops: - matchLabels: {} ``` -------------------------------- ### Run Operator Binary Locally Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Executes the operator binary directly for local development. ```shell go run cmd/main.go -zap-log-level=10 ``` -------------------------------- ### Unit Testing with Clean KinD Cluster Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Executes unit tests using a clean KinD cluster. ```shell make e2e-exec ``` -------------------------------- ### Verify Docker Image Signature Source: https://github.com/peak-scale/sops-operator/blob/main/SECURITY.md Command to verify the signature of the Docker image using cosign. Requires setting COSIGN_REPOSITORY and replacing with the actual release tag. ```bash export COSIGN_REPOSITORY=ghcr.io/peak-scale/sops-operator VERSION= COSIGN_REPOSITORY=ghcr.io/peak-scale/sops-operator cosign verify ghcr.io/peak-scale/sops-operator:${VERSION} \ --certificate-identity-regexp="https://github.com/peak-scale/sops-operator/.github/workflows/docker-publish.yml@refs/tags/*" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq ``` -------------------------------- ### Deploy GnuPG private key Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Exports the GnuPG secret key and deploys it to a specified Kubernetes namespace as a generic secret, labeling it for use with the sops provider. ```shell export NAMESPACE=solar-namespace-1 export SECRETNAME=sops-gpg-solar gpg --export-secret-keys --armor "${KEY_FP}" | kubectl create secret generic $SECRETNAME \ --from-file=sops.asc=/dev/stdin \ --namespace=$NAMESPACE ``` ```shell kubectl label secret $SECRETNAME \ --namespace=$NAMESPACE \ sops.addons.projectcapsule.dev=true ``` -------------------------------- ### Unit Testing Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Executes unit tests. ```shell make test ``` -------------------------------- ### Test Helm Chart Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Tests the Helm chart. ```shell make helm-test ``` -------------------------------- ### Export Kubeconfig for KinD Cluster Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Exports the Kubeconfig for a KinD cluster, useful when managing multiple clusters. ```shell bin/kind get kubeconfig --name sops-operator > /tmp/sops-operator export KUBECONFIG="/tmp/sops-operator" ``` -------------------------------- ### Applying the SopsSecret Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to apply the SopsSecret manifest to the Kubernetes cluster. ```shell kubectl apply -f secret-encrypted.yaml sopssecret.addons.projectcapsule.dev/example-secret created ``` -------------------------------- ### Verify Helm Chart Signature Source: https://github.com/peak-scale/sops-operator/blob/main/SECURITY.md Command to verify the signature of the Helm chart using cosign. Requires setting COSIGN_REPOSITORY and replacing with the actual release tag. ```bash export COSIGN_REPOSITORY=ghcr.io/peak-scale/charts/sops-operator VERSION= COSIGN_REPOSITORY=ghcr.io/peak-scale/charts/sops-operator cosign verify ghcr.io/peak-scale/charts/sops-operator:${VERSION} \ --certificate-identity-regexp="https://github.com/peak-scale/sops-operator/.github/workflows/helm-publish.yml@refs/tags/*" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq ``` -------------------------------- ### Generate SOPS Configuration Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Creates a .sops.yaml configuration file for defining encryption rules. ```shell cat < ./.sops.yaml creation_rules: - path_regex: .*.yaml encrypted_regex: ^(data|stringData)$ hc_vault_transit_uri: "${VAULT_ADDR}/v1/sops/keys/key-1" - path_regex: .*prod.yaml encrypted_regex: ^(data|stringData)$ hc_vault_transit_uri: "${VAULT_ADDR}/v1/sops/keys/key-2" EOF ``` -------------------------------- ### Verify Vault Connection Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Checks the status of the Vault instance. ```shell bao status ``` -------------------------------- ### Linting Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Runs the linter for code quality checks. ```shell make golint ``` -------------------------------- ### sops.yaml configuration for PGP key groups Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md YAML configuration for sops to specify PGP public keys and a shamir_threshold for decryption, enabling key groups. ```yaml creation_rules: - path_regex: .*.yaml encrypted_regex: ^(data|stringData)$ shamir_threshold: 1 key_groups: - pgp: - ${PGP_PUB_KEY_1} - ${PGP_PUB_KEY_2} ``` -------------------------------- ### Deploy AGE private key Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Deploys the AGE private key to a specified Kubernetes namespace as a generic secret and labels it for use with the sops provider. ```shell export NAMESPACE=solar-namespace-1 export SECRETNAME=sops-age-solar cat key.txt | kubectl create secret generic $SECRETNAME \ --from-file=age.agekey=/dev/stdin \ --namespace=$NAMESPACE ``` ```shell kubectl label secret $SECRETNAME \ --namespace=$NAMESPACE \ sops.addons.projectcapsule.dev=true ``` -------------------------------- ### Create Kubernetes Secret for Vault Token Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Creates a Kubernetes secret in a specified namespace containing the Vault token. ```shell export NAMESPACE=solar-namespace-1 export SECRETNAME=sops-hcvault-solar echo $VAULT_TOKEN | kubectl create secret generic $SECRETNAME \ --from-file=sops.vault-token=/dev/stdin \ --namespace=$NAMESPACE ``` -------------------------------- ### Encrypting a file in-place Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to encrypt a YAML file directly using sops. ```shell sops -e -i secret.yaml ``` -------------------------------- ### Update Helm Chart Documentation Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Updates the documentation when changes are made to the Helm chart. ```shell make helm-docs ``` -------------------------------- ### Scale Down Operator for Development Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Reduces the operator's replicas to zero for local development. ```shell kubectl scale deploy sops-operator --replicas=0 -n sops-operator ``` -------------------------------- ### sops.yaml configuration for Vault/OpenBao key groups Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md YAML configuration for sops to specify HashiCorp Vault or OpenBao secret engine paths for encryption, supporting key groups. ```yaml - path_regex: .*.yaml encrypted_regex: ^(data|stringData)$ shamir_threshold: 1 key_groups: - hc_vault: - "${VAULT_ADDR}/v1/sops/keys/key-1" - "${VAULT_ADDR}/v1/sops/keys/key-2" ``` -------------------------------- ### List secrets in a namespace Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to list secrets created in a specific namespace after sops secret reconciliation. ```shell kubectl get secret -n solar-namespace-2 ``` -------------------------------- ### Lint Helm Chart Source: https://github.com/peak-scale/sops-operator/blob/main/docs/development.md Lints the Helm chart. ```shell make helm-lint ``` -------------------------------- ### Encrypting SopsSecret using sops command Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Commands to encrypt a SopsSecret file, either to a new file or in-place. ```shell # Encrypt to a new file sops -e secret.yaml > secret-encrypted.yaml # Or encrypt in-place sops -e -i secret.yaml ``` -------------------------------- ### Generate Age Key Pair Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to generate a new age key pair using the age-keygen utility. ```bash age-keygen -o key.txt ``` -------------------------------- ### Generate GnuPG Sops Configuration Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Generates a .sops.yaml configuration file using the GnuPG key fingerprint, specifying encryption rules for data and stringData fields. ```shell cat < ./.sops.yaml creation_rules: - path_regex: .*.yaml encrypted_regex: ^(data|stringData)$ mac_only_encrypted: true pgp: ${KEY_FP} EOF ``` -------------------------------- ### Labeling a SopsSecret for provider matching Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to add a label to a SopsSecret, potentially for matching with a SopsProvider. ```shell kubectl label sopssecret example-secret sops-secret=true sopssecret.addons.projectcapsule.dev/example-secret labeled ``` -------------------------------- ### Export GnuPG key fingerprint Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Exports the GnuPG key fingerprint for a given key name, which is used for configuration and deployment. ```shell gpg --list-secret-keys "${KEY_NAME}" ``` ```shell export KEY_FP="02D183E768A118979D338F3D61BFB7FAE4690165" ``` -------------------------------- ### Export GnuPG public key Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Exports the GnuPG public key in armor format, which can be shared with team members for encrypting secrets. ```shell gpg --export --armor "${KEY_FP}" > .sops.pub.asc ``` -------------------------------- ### sops.yaml configuration for Age key groups Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md YAML configuration for sops to specify Age public keys for encryption, supporting key distribution. ```yaml creation_rules: - path_regex: .*.yaml encrypted_regex: ^(data|stringData)$ age: - ${AGE_PUB_KEY_1} - ${AGE_PUB_KEY_2} ``` -------------------------------- ### Encrypt Sops Secret Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to encrypt a local secret file using the sops CLI. ```shell # Encrypt to a new file sops -e secret.yaml > secret-encrypted.yaml ``` -------------------------------- ### Generate GnuPG key pair Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Generates a GnuPG key pair with specified parameters, including key type, length, and expiration, without passphrase protection. ```shell export KEY_NAME="key.solar" export KEY_COMMENT="sops solar secret key" gpg --batch --full-generate-key < ./.sops.yaml creation_rules: - path_regex: .*.yaml encrypted_regex: ^(data|stringData)$ mac_only_encrypted: true age: >- ${AGE_PUB_KEY} EOF ``` -------------------------------- ### sops.yaml configuration for MAC-only encryption Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md YAML configuration for sops to enable MAC-only encryption for specific file paths and data fields. ```yaml creation_rules: - path_regex: .*.yaml encrypted_regex: ^(data|stringData)$ mac_only_encrypted: true pgp: KEY ``` -------------------------------- ### Label Kubernetes Secret Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Adds a label to the Kubernetes secret to make it usable by the sops provider. ```shell kubectl label secret $SECRETNAME \ --namespace=$NAMESPACE \ sops.addons.projectcapsule.dev=true ``` -------------------------------- ### Encrypting secrets with MAC-only Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command-line flag to encrypt secrets with Message Authentication Code (MAC) only on encrypted values. ```shell sops --mac-only-encrypted -e -i secret.sops.yaml ``` -------------------------------- ### SopsSecret API Spec Schema Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md The schema for defining a GlobalSopsSecret, including secrets, labels, annotations, stringData, and data. ```yaml apiVersion: addons.projectcapsule.dev/v1alpha1 kind: GlobalSopsSecret metadata: name: example-secret spec: secrets: - name: [secret-name] namespace: [secret-name] labels: my-label: value1 annotations: my-annotation: value2 stringData: [Plain text string to be encrypted] data: [base64 encoded string to be encrypted] ``` -------------------------------- ### Apply sops secret Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Command to apply an encrypted sops secret to the Kubernetes cluster. ```shell kubectl apply -f secret-encrypted.yaml ``` -------------------------------- ### Enable Transit Secret Engine in Bao Source: https://github.com/peak-scale/sops-operator/blob/main/docs/usage.md Enables the transit secret engine in Bao, which is used for encryption and decryption. ```shell bao secrets enable -path=sops transit ``` -------------------------------- ### Uninstall Helm Chart Source: https://github.com/peak-scale/sops-operator/blob/main/charts/sops-operator/README.md Uninstalls the SOPS Operator Helm chart. ```bash $ helm uninstall sops-operator -n secrets-system ``` -------------------------------- ### Upgrade Helm Chart Source: https://github.com/peak-scale/sops-operator/blob/main/charts/sops-operator/README.md Upgrades the SOPS Operator Helm chart to a specific version. ```bash $ helm upgrade sops-operator oci://ghcr.io/peak-scale/charts/sops-operator --version 0.1.0 ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.