Skip to main content

ArgoCD with Kustomize and KSOPS using Age encryption

·2 mins

I am a big fan of FluxCD and its integration with secrets management; however, recently, I decided to tinker with ArgoCD. One of the challenges I encountered was secrets management. Although ArgoCD provides flexible integration with most secrets management tools, it requires little extra configuration.

So I started my journey to configure ArgoCD with SOPS; there isn’t a direct integration with SOPS. So we will have to use the Kustomize plugin called ksops, which is the suggested tool on Argo’s website and it has pretty good instructions for Argo integration.

What is KSOPS? #

KSOPS, or kustomize-SOPS, is a kustomize plugin for managing SOPS encrypted resources. KSOPS is used to decrypt any Kubernetes resources but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps. The main goal of KSOPS is to manage encrypted resources the same way we manage the Kubernetes manifests.

Setup #

I am setting up this integration on my OpenShift cluster and deploying ArgoCD via Operator. For file encryption, I’ll use Age encryption tool recommended over PGP by SOPS documentation.

Generate age key #

Install age package

Generating an age key using age-keygen:

$ age-keygen -o age.agekey
Public key: age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg
Create a secret with the age private key; the key name must end with .agekey to be detected as an age key:

Secret #

Create a kubernetes secret from the age key in openshift-gitops project

$ cat age.agekey | kubectl create secret generic sops-age --namespace=openshift-gitops \
--from-file=key.txt=/dev/stdin

Configuration #

Update the `spec.repo`` definition of ArgoCD CR to configure KSOPS custom tooling. Below configuration mounts the age secret and installs the KSOPS tool using initContainer

repo:
  env:
    - name: XDG_CONFIG_HOME
      value: /.config
    - name: SOPS_AGE_KEY_FILE
      value: /.config/sops/age/keys.txt
  volumes:
    - name: custom-tools
      emptyDir: {}
    - name: sops-age
      secret:
        secretName: sops-age
  initContainers:
    - name: install-ksops
      image: viaductoss/ksops:v3.0.2
      command: ["/bin/sh", "-c"]
      args:
        - 'echo "Installing KSOPS..."; cp ksops /custom-tools/; cp $GOPATH/bin/kustomize /custom-tools/; echo "Done.";'
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
  volumeMounts:
    - mountPath: /usr/local/bin/kustomize
      name: custom-tools
      subPath: kustomize
    - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
      name: custom-tools
      subPath: ksops
    - mountPath: /.config/sops/age/keys.txt
      name: sops-age
      subPath: keys.txt

Here is a guide for creating and testing the resources