Management of secrets via ArgoCD requires extra configuration, unlike FluxCD, which features seamless integration. However, ArgoCD allows for the ability to integrate using many popular tools of the GitOps community. For more information on the variety of tools available and the mechanics behind them, I highly recommend reading this blog post by Jann Fischer and Raffaele Spazzoli.

This article will explore how to integrate Mozilla SOPS with Openshift Gitops Operator using the Kustomize plugin known as KSOPS. For the encryption of the file, we will use the Age tool, which the SOPS documentation recommends over PGP.

What is KSOPS?

KSOPS, or kustomize-SOPS, is a kustomize plugin for managing SOPS-encrypted resources. KSOPS can be used to decrypt any Kubernetes resource, but it is most commonly used to decrypt Kubernetes Secrets and ConfigMaps. The primary goal of KSOPS is to manage encrypted resources the same way we manage the Kubernetes manifests.

Requirements for getting started:

1. OpenShift 4 cluster

2. OpenShift CLI

3. Kustomize CLI


 Install GitOps Operator

Follow the OpenShift Gitops Operator Installation guide for instructions. Verify that all the pods in the openshift-gitops namespace are running:

$ oc get pods -n openshift-gitops

Example output

NAME                                                              READY   STATUS        RESTARTS   AGE
cluster-b5798d6f9-zr576                                           1/1         Running   0              65m
kam-69866d7c48-8nsjv                                              1/1         Running   0              65m
openshift-gitops-application-controller-0                         1/1         Running   0              53m
openshift-gitops-applicationset-controller-6447b8dfdd-5ckgh 1/1         Running   0              65m
openshift-gitops-redis-74bd8d7d96-49bjf                           1/1         Running   0              65m
openshift-gitops-repo-server-c999f75d5-l4rsg                      1/1         Running   0              65m
openshift-gitops-server-5785f7668b-wj57t                          1/1         Running   0              53m

Generate Age Key

Install the Age tool and run the below command to generate a new key:

$ age-keygen -o age.agekey
Public key: age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg

OpenShift Secret

The next step is to create a secret in the “openshift-gitops” project:

cat age.agekey | oc create secret generic sops-age --namespace=openshift-gitops \

Now, we are ready to update the ArgoCD custom resource to enable custom tooling.

ArgoCD with Custom Tooling

Navigate to the ArgoCD link under the Red Hat OpenShift GitOps operator and Edit the object.

Update the repo server options for ArgoCD as shown below. With the configuration below, we are:

  • Creating a new initContainer and installing KSOPS under custom-tools
  • Mounting the age private key to decrypt secrets
   value: /.config
   value: /.config/sops/age/keys.txt
 - name: custom-tools
   emptyDir: {}
 - name: sops-age
     secretName: sops-age
 - name: install-ksops
   image: viaductoss/ksops:v3.0.2
   command: ["/bin/sh", "-c"]
   - 'echo "Installing KSOPS..."; cp ksops /custom-tools/; cp $GOPATH/bin/kustomize /custom-tools/; echo "Done.";'
     - mountPath: /custom-tools
       name: custom-tools
 - mountPath: /usr/local/bin/kustomize
   name: custom-tools
   subPath: kustomize
 - mountPath: /.config/kustomize/plugin/
   name: custom-tools
   subPath: ksops
 - mountPath: /.config/sops/age/keys.txt
   name: sops-age
   subPath: keys.txt

Once saved, you should see openshift-gitops-repo-server pod is recreated.

Now, we are ready to test our changes:

1. Configure SOPS via .sops.yaml

For this example and testing, KSOPS relies on the SOPS creation rules defined in .sops.yaml. To make encrypted secrets more readable, it is suggested to use the following encryption regex to only encrypt data and stringData values. This leaves non-sensitive fields, like the secret's name, unencrypted and human-readable.

cat <<EOF > .sops.yaml
- path_regex: apps/.*\.sops\.ya?ml
  encrypted_regex: "^(data|stringData)$"
  age: age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg

2. Create a local Kubernetes Secret:

cat <<EOF > secret.sops.yaml
apiVersion: v1
kind: Secret
name: mysecret
type: Opaque
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm

3. Encrypt with SOPS CLI:

        sops --encrypt --in-place secret.sops.yaml

4. Define KSOPS kustomize Generator:

cat <<EOF > secret-generator.yaml
kind: ksops
# Specify a name
name: example-secret-generator
- ./secret.sops.yaml

5. Create the kustomization.yaml and Push all the changes to the Git repository. Read about kustomize plugins:

cat <<EOF > kustomization.yaml
- ./secret-generator.yaml

6. Create a new Argo application from the Argo console using your repository.

7. Argo will fetch the latest commit and apply the changes.


8. Verify the applied changes in the OpenShift console.


In summary, SOPS is an effective tool for securely managing secret information and integrated with ArgoCD it provides a seamless way to manage secrets the same way we manage the rest of the Kubernetes manifests.


How-tos, Security, GitOps, Argo CD

< Back to the blog