Skip to content

Commit a70b30c

Browse files
committed
Additional documentation on kustomize patches with sops
Signed-off-by: Gergely Nagy <[email protected]>
1 parent dc0e585 commit a70b30c

File tree

1 file changed

+59
-0
lines changed

1 file changed

+59
-0
lines changed

docs/spec/v1/kustomizations.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1649,6 +1649,65 @@ secretGenerator:
16491649
- .dockerconfigjson=ghcr.dockerconfigjson.encrypted
16501650
```
16511651

1652+
### SOPS Encrypted Kustomize patches
1653+
1654+
SOPS encrypted data can be stored as [Kustomize `patches`](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) as long as they're in separate files, not inlined in `kustomization.yaml`. The kustomize-controller decrypts these before executing kustomization pipeline, allowing for adding secret data to resources or merging Secrets. For example:
1655+
1656+
```yaml
1657+
apiVersion: v1 #patch1.yaml
1658+
kind: Secret
1659+
metadata:
1660+
name: secret
1661+
stringData:
1662+
secretConfig: "my-secret-configuration"
1663+
```
1664+
1665+
```yaml
1666+
apiVersion: v1 #patch2.yaml
1667+
kind: Secret
1668+
metadata:
1669+
name: secret
1670+
stringData:
1671+
secretToken: "my-secret-token"
1672+
```
1673+
1674+
```yaml
1675+
apiVersion: v1 #base.yaml
1676+
kind: Secret
1677+
metadata:
1678+
name: secret
1679+
stringData:
1680+
publicConifg: "my-public-config"
1681+
```
1682+
1683+
```yaml
1684+
apiVersion: kustomize.config.k8s.io/v1beta1 #kustomization.yaml
1685+
kind: Kustomization
1686+
resources:
1687+
- base.yaml
1688+
patches:
1689+
- path: patch1.yaml
1690+
- path: patch2.yaml
1691+
```
1692+
1693+
```sh
1694+
sops -e --input-type=yaml patch1.yaml
1695+
sops -e --input-type=yaml patch2.yaml
1696+
```
1697+
1698+
After kustomize-controller does the reconciliation of `kustomization.yaml`, the following secret will be generated in the cluster:
1699+
1700+
```yaml
1701+
apiVersion: v1
1702+
kind: Secret
1703+
metadata:
1704+
name: secret
1705+
stringData:
1706+
publicConifg: "my-public-config"
1707+
secretToken: "my-secret-token"
1708+
secretConfig: "my-secret-configuration"
1709+
```
1710+
16521711
### Post build substitution of numbers and booleans
16531712

16541713
When using [variable substitution](#post-build-variable-substitution) with values

0 commit comments

Comments
 (0)