In Kubernetes, how to create a sops secret from a binary file ?

[HugoRh]

Hi !

I'm struggling with that one, all my secrets are maintained with SOPS, recently I had to integrate a binary file as a secret but I can't seem to make it work...
I can update in place the binary file but I can't integrate it in a template...
Anyone has a method to achieve that ?

Thanks !!

[anutator]

You can encrypt any file (it's content) using variable:

secrets.yml (encrypted by SOPS+age)

secretEnvFile:
    private.pem: ENC[AES256_GCM,data:jf6g3AW0RPRBuTC+LCTzjVPhzfD+0Mklz+DnCggfgfgf...

values.yml (not encrypted)

volumeMounts:
- name: jwt
  mountPath: /app/jwt/
  readOnly: true
.....
...

Export this private.pem as file (I also use pluck to get different variables for dev, text etc.

_helpers.tpl

{{- define "GetSecretFiles" -}}
{{- with .Values.secretEnvFile }}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | b64enc }}
{{- end }}{{- end }}
{{- with .Values.secretTiersFile }}
{{- range $k, $v := . }}
{{ $k }}: {{ pluck $.Values.TIER $v | first | default $v._default | b64enc }}
{{- end }}{{- end }}
{{- end }}

secret-jwt.yml

{{- $fullName := include "GetAppFullname" . -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ printf "%s-%s" $fullName "jwt" }}
  labels: {{- include "GetLabels" . | nindent 4 }}
type: Opaque
data:
{{- include "GetSecretFiles" . | indent 2 }}

deployment.yml — mount variables from secret-jwt.yml as files in a volume

.....
      volumes:
      - name: jwt
        secret:
          secretName: {{ printf "%s-%s" $fullName "jwt" }}
          defaultMode: 0444
,,,,,
      containers:
      - name: {{ $fullName }}
       .....
        volumeMounts: {{- toYaml .Values.volumeMounts | default "" | nindent 10 }}

So the file is /app/jwt/private.pem

[debu99]

how to make it easier for next time encrypt/decrypt with this line secretEnvFile: private.p12: ENC[AES256_GCM,data:jf6g3AW0RPRBuTC+LCTzjVPhzfD+0Mklz+DnCggfgfgf... and it should be binary file instead of text