Security Mozilla Sops Secrets
- Encrypts json/yaml values.
example config
$ cat .sops.yaml # Note - script for key rotation k8sAzure/az-cli-helm-secret-rotate.sh # Note: get latest with $ AZ_KEY="helm-cust1-prd"; az keyvault key list-versions --id https://${AZ_KEY}.vault.azure.net/keys/${AZ_KEY} --query "[0].kid" creation_rules: - path_regex: env/(cust1|cust).*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust1-prd.vault.azure.net/keys/helm-cust1-prd/610aa30aa00b4184a07fa9cbb23463ef" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" - path_regex: env/cust2.*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust2-prd.vault.azure.net/keys/helm-cust2-prd/bb24f66d53f04827915c5b79f3e75a97" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" - path_regex: env/cust3.*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust3-prd.vault.azure.net/keys/helm-cust3-prd/750724205e5348d89e04b66b11651141" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" - path_regex: env/cust4.*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust4-prd.vault.azure.net/keys/helm-cust4-prd/ecca09fae61c45bf8ec1e14fee839b0c" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" - path_regex: env/cust5.*/(uat|prd)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-cust5-prd.vault.azure.net/keys/helm-cust5-prd/112647eb61f04d199c69c776a8597965" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" # All dev tst uat - path_regex: secrets.yaml|env/.*/(dev|tst)/secrets.yaml(.dec)?$ azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev/f8b2253f9af2407f8f870052ff2b233f" pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" # # Default catch all -filename_regex, or -path_regex with encrypted_regex # - azure_keyvault: "https://helm-all-dev.vault.azure.net/keys/helm-all-dev-nomatch/2532969fce7f46aab72a767e854ad9e4" # pgp: "7C1949EFE7ECE6AF0400DB2B8C290E5B228A2B67" # encrypted_regex: ".*_secret|.*password|.*pin" #The END
Script to rotate keys helm-rotate.sh
#!/bin/bash echo "Decrypt and re-encrypt files ..." gitroot=$(git rev-parse --show-toplevel) for f in $(grep -irnl "sops-\|helm-" $gitroot/* | grep "yaml"); do echo "f=$f" grep -n "sops-\|helm-\|vault.azure.net" $f helm secrets dec $f helm secrets enc $f rm $f.dec echo done