# Safely secure secrets: a sops plugin for kustomize A while ago I switched all our tooling from [helm](https://github.com/helm/helm) to [kustomize](https://github.com/kubernetes-sigs/kustomize). The *why* of this I'll leave for another day, but it involves [Tiller](https://helm.sh/docs/glossary/#tiller) and the Security Surprises that Lurk Inside. All was going well and then all of a sudden the project removed the support for external secrets. The reasons for that are also a story for another day, but it leave me high and dry. After some discussion, a plan was mooted to make Go plugins available. Nearly all of the feedback was to not do this, but nonetheless that is what happened. So I'm still left high and dry, with a brittle interface in a restrictive language as the only option. Grr. OK, so, lets move forward. I [present](https://github.com/Agilicus/kustomize-sops) to you a Kustomize plugin for [sops](https://github.com/mozilla/sops). This allows me to safely commit my secrets to git, to rotate the keys used to protect that, to do IAM-based access to them, without too much end-user complexity. Its probably simplest if you read the [Github](https://github.com/Agilicus/kustomize-sops) repository. A small ask. If you like this, please star it. [![](https://www.agilicus.com/www/2019/04/cbc4535b-image.png) ](https://github.com/Agilicus/kustomize-sops)Now, how do you use it? Well, its relatively simple. First, create a `secrets.yaml`file. In it you place all your secrets as `name: value` pairs. Then, encrypt it. In the [README](https://github.com/Agilicus/kustomize-sops/blob/master/README.md) I show how to do this with Google KMS, but you can use any of the methods [sops](https://github.com/mozilla/sops) supports (PGP, AWS KMS, etc). ``` sops --encrypt --gcp-kms projects/.../sops-key secrets.yaml > secrets.enc.yaml ``` Then, add a `secretGenerator` to your Kustomize, referencing this plugin: ``` secretGenerator: - name: mysecrets kvSources: - name: kustomize-sops pluginType: go args: - CAT - DOG ``` OK, now run `kustomize` as normal (and try not to grit your teeth at the double misspelling of s/c/k and s/z/s). I purposely did not compile the plugin for you. Do this: ``` mkdir -p ~/.config/kustomize/plugins/kvSourcesgo build -buildmode plugin -o ~/.config/kustomize/plugins/kvSources/kustomize-sops.so kustomize-sops.go ``` Why did I not build it for you? **BECAUSE YOU SHOULD NOT TRUST YOUR SECRETS TO A BINARY PROVIDED BY A RANDOM PERSON ON THE INTERNET.** OK, I really hope you like this. The code is short, It doesn't support real YAML (e.g. it only supports NAME: VALUE) because of how limiting Go is. It doesn't support multiple secrets files because the interface that was created doesn't have config or meta or extensibility. But, i works. And now you can safely commit your secrets. I'll leave i as an exercise to the reader to install sops, configure i so it works well with git for e.g. diff purposes etc. Its well documented on their page. And if you got here, and you think this useful, a **star** on the Github would help us out.