Martin Koníček

Blog

SOPS Git Hooks for Kubernetes Secrets Management

Showcase image

I wanted to share something pretty exciting that I’ve been working on lately. If you’ve ever dabbled in Kubernetes, you know managing secrets can sometimes feel like trying to solve a Rubik's Cube blindfolded. So, I decided to take matters into my own hands and came up with a solution that I think has the potential to make our lives a lot easier.

The Inspiration Behind the Project

Here's the thing, managing Kubernetes secrets in a secure yet straightforward manner has always been a bit of a headache for me, especially when working with smaller deployments. The existing solutions felt like using a sledgehammer to crack a nut — overkill for what I needed. Tools like HashiCorp Vault, while powerful, felt too cumbersome for my single-node clusters.

So, I asked myself, "Why not create something tailored for my needs?" Something that doesn’t add unnecessary layers of complexity but keeps everything nice and secure. And well, that’s exactly what I did.

My Approach

Drawing on some AI magic, I decided to build a Git-based tool to manage Kubernetes secrets more efficiently. The whole idea was to automatically encrypt password and value fields in my Kubernetes YAML and Helm files before committing them into Git, and decrypt them effortlessly when checking out.

The Problem It Solves

Ever noticed how SOPS (Secrets OperationS by Mozilla) encrypts files differently every time, even if the contents haven't changed? That was a major pain point for me. It meant my Git history was cluttered with changes that weren't really changes. My solution? Use hashes to determine if a secret really changed before deciding to re-encrypt and update it. This significantly cut down on unnecessary updates and kept my Git history clean and meaningful.

The Technical Grit

I used AGE for key management because of its simplicity and security. I wrote a pre-commit hook to search for changes in the secrets and encrypt them on the fly. Then a post-checkout hook decrypts these secrets back into their plain-text glory for use in the deployment environment. Cool, right?

Why It’s a Game-Changer for Me

This project has been a game-changer for my Kubernetes workflow. It ticks all the right boxes—security, efficiency, and simplicity. No longer do I fret over accidentally committing sensitive info into version control. And the best part? I've designed it to be super user-friendly, so you don't need to be a security or Kubernetes expert to get it up and running.

Sharing Is Caring

Seeing how much this has helped me, I felt compelled to share it with the community. I mean, why keep something so useful all to myself? If you've faced similar frustrations with Kubernetes secrets management, I think you'll find this tool pretty handy.

I’ve put everything you need in a GitHub repo - from detailed instructions to the actual script files. It’s all there, waiting to make someone else’s Kubernetes journey a bit less rocky.

Reflecting on the Journey

Embarking on this personal project has been incredibly rewarding. Not only did I get to solve a real problem that was bugging me, but I also got to dive deep into AI, encryption, and the Kubernetes ecosystem. It's projects like these that remind me why I love being in tech — the constant learning, the problem-solving, and the joy of sharing something you've built with the wider community.

If this little adventure of mine has piqued your interest, I’d love for you to check out the tool, give it a spin, and let me know what you think. Perhaps, it could make managing Kubernetes secrets a breeze for you too.

Until next time, keep creating and sharing!

I hope you've found my journey interesting and maybe even inspiring. If you're curious and want to delve into the technicalities, or if you're eager to try it out yourself, head over to my GitHub repository. Let’s make Kubernetes secrets management a tad bit easier for everyone.

  • Self Hosted GitHub Action Runner on Kubernetes
    Self Hosted GitHub Action Runner on KubernetesI recently set up a self-hosted GitHub Action Runner on Kubernetes, enhancing my CI/CD pipeline with a private Docker repository and microk8s cluster. This setup, accessible via DNS with ingress, offered unparalleled control and security, thanks to the integration of a TLS-secured private Docker registry and my own Certificate Authority.
  • cs | en