A Kubernetes KMS provider with mozilla/sops as the backend
┌────────────┐ ┌─────────┐ ┌────────────┐ │ Kubernetes │ ─────────────────► │ │ ─────────────────► │ │ │ │ TCP / UDP / unix │ ksops │ TCP / UDP / unix │mozilla/sops│ │ kubectl │ ◄───────────────── │ │ ◄───────────────── │ │ └────────────┘ └─────────┘ └────────────┘ 
- Install Go
- Download ksops source code
- Build ksops
cd <project_directory> go build ./cmd/ksops # executable `ksops` produced!
- Start mozilla/sops and listen on Unix domain sockets at
/tmp/sops.sock:sops keyservice \ --network unix \ --address "/tmp/sops.sock" - Start ksops and listen on Unix domain sockets at
/tmp/ksops.sock:
Here we configure ksops to use the PGP key for encryption/decryption. Actually mozilla/sops is doing the work, ksops only forwards the encrypt/decrypt request with the proper credentials../ksops \ --pgp.key="FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" \ "unix:/tmp/ksops.sock" \ "unix:/tmp/sops.sock"
- Setup Kubernetes to use a KMS provider (ksops) for data encryption/decryption
Read the documentation!
Usage: ksops [OPTIONS] Address SopsAddress Age Group Options: --age.recipient= Age recipient AWS Group Options: --aws.arn= AWS ARN (Amazon Resource Name) --aws.role= AWS IAM role --aws.context= AWS encryption context --aws.profile= AWS profile Azure Group Options: --azure.url= Azure vault URL --azure.key_name= Azure key name --azure.key_version= Azure key version GCP Group Options: --gcp.id= GCP KMS resource ID Hashicorp Vault Group Options: --vault.address= Vault address --vault.engine_path= Vault transit secrets engine path --vault.key= Vault key PGP Group Options: --pgp.key= PGP key Help Options: -h, --help Show this help message Arguments: Address: Server listen address. For example: "tcp:127.0.0.1:12345". https://golang.org/pkg/net/#Listen SopsAddress: Sops program keyservice address. https://github.com/grpc/grpc/blob/master/doc/naming.md