In the realm of platform engineering, managing secrets securely is a critical aspect of ensuring the integrity of applications and services. One effective tool for this purpose is SOPS (Secrets OperationS), an open-source text file editor that encrypts and decrypts files. This article will delve into the technical details of integrating SOPS with CI/CD pipelines, highlighting its features and providing practical examples.
SOPS Fundamentals
SOPS is designed to manage secrets efficiently, offering a range of integrations with various tools and platforms. It supports both standard text files and structured files, making it versatile for different use cases. To create a new file using SOPS, you can run the following command:
cd
sops a-text-file.txt
This will create a new encrypted file named a-text-file.txt. You can then edit the content of the file and save it. Attempting to view the file using the cat command will not reveal the content, demonstrating the encryption capabilities of SOPS.
SOPS with HashiCorp Vault
HashiCorp Vault is a popular secrets manager that can be integrated with SOPS. To set up a local Vault server for testing, you can use Docker:
docker run -d -p8200:8200 vault:1.2.0 server -dev -dev-root-token-id=toor
Once the Vault server is running, you can create a key for use with SOPS:
vault secrets enable -path=sops transit
vault write sops/keys/firstkey type=rsa-4096
This sets up a transit engine and creates a key named firstkey.
CI/CD Pipeline Integration
To integrate SOPS with a CI/CD pipeline, you can use tools like GitLab CI. The process involves creating a .sops.yaml file to configure SOPS and then defining a CI job to read and decrypt the encrypted secrets.
Here is an example of a GitLab CI job that uses SOPS to decrypt an encrypted file:
deploy int:
image: google/cloud-sdk
before_script:
- apt-get update && apt-get install -y curl gnupg
- curl -qsL https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux -o /usr/local/bin/sops
- chmod +x /usr/local/bin/sops
- cat $KEY | gpg --batch --import
- echo $PASSPHRASE | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s $(mktemp)
script:
- sops -d int.encrypted.env > int.env
- cat int.env
This job installs gpg and sops, imports the key, and then decrypts the encrypted file using SOPS.
Optimizing the CI/CD Pipeline
To optimize the CI/CD pipeline, you can create a custom Docker image that includes gpg and sops. This image can then be used in the CI job, reducing the need for additional setup steps.
Here is an example of a Dockerfile that creates such an image:
FROM tutum/curl AS downloader
RUN curl -qsL https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux -o /opt/sops && \
chmod +x /opt/sops
FROM google/cloud-sdk as final
COPY --from=downloader /opt/sops /usr/local/bin/sops
RUN apt-get update && apt-get install -y gnupg --no-install-recommends
This image can be built and published to a Docker registry, allowing it to be easily used in the CI job.
Conclusion
Integrating SOPS with CI/CD pipelines offers a robust solution for managing secrets securely. By leveraging the features of SOPS and tools like HashiCorp Vault, you can ensure the integrity of your applications and services. This technical guide has demonstrated the practical steps involved in setting up SOPS with a CI/CD pipeline, providing a comprehensive understanding of the process.
Top comments (0)