How to Encrypt Secrets With SOPS for GitOps
SOPS encrypts only the values in a secret manifest, so the file is safe to commit and Flux decrypts it with an age key at apply time.
Encrypt the Secret with sops --encrypt using an age recipient, commit the result, and configure the Flux Kustomization with decryption.provider: sops. Flux holds the private key as a cluster secret.
Steps
- Generate an age key pair and store the private key as a cluster secret.
- Encrypt the Secret manifest with
sops --encrypt --age <pubkey>. - Commit the encrypted file to the GitOps repo.
- Set
spec.decryptionon the Flux Kustomization.
Kustomization with decryption
clusters/prod/api.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: api
namespace: flux-system
spec:
interval: 5m
path: ./apps/api
prune: true
sourceRef:
kind: GitRepository
name: deploy-config
decryption:
provider: sops
secretRef:
name: sops-ageGotchas
- SOPS encrypts values, not keys, so set
encrypted_regex: ^(data|stringData)$to skip metadata. - The
sops-agesecret must hold the private key underage.agekeyfor Flux to read it.
Related guides
How to Use Sealed Secrets in GitOpsEncrypt Kubernetes secrets into SealedSecret resources with kubeseal so they are safe to commit, and the clus…
How to Set Up a Flux GitRepository and KustomizationWire Flux to a repo with a GitRepository source and a Kustomization that applies a path on an interval, the t…