We all have been using .env files for microservices, which is typically a configuration file used to store environment-specific variables and settings. These files are usually plain text file which poses security risk. If the file is accidently exposed or included in version control, it can lead to data breaches.
When we use them in Kubernetes as secrets it can bring about various difficulties and challenges:
- Security Risks: Secrets frequently contain sensitive data like passwords, tokens, and certificates. Inadequate management can lead to security vulnerabilities and breaches.
- Manual Complexity: Traditional manual handling of secrets is prone to errors, especially in larger setups with numerous pods and microservices.
- Encryption Gaps: Kubernetes secrets are encoded in Base64, but lack default encryption. This means unauthorized access to the cluster can easily decode them.
- Access Control Limitations: Kubernetes secrets offer limited control over access. Access is usually controlled at the namespace level, which might not be suitable for intricate scenarios.
- Rotation Complications: Regularly rotating secrets for better security can be intricate and might necessitate downtime or specialized tools.
- Auditing and Compliance: Ensuring authorized access to secrets and monitoring their usage for compliance can prove challenging.
- Versioning Hurdles: Kubernetes secrets lack inherent version tracking. Updates overwrite existing secrets, making it difficult to trace changes or revert to prior versions.
- Secret Proliferation: As microservices and applications increase, managing secrets across various namespaces and clusters can become unwieldy.
- Centralized Management Gap: Kubernetes secrets may not offer a centralized view or interface for managing secrets across clusters.
- Integration Complexity: Integrating Kubernetes secrets with external secret management tools or key management systems often requires custom setups and additional complexities.
To mitigate these issues, organizations often adopt specialized secret management tools and practices that enhance security, automation, encryption, access control, and simplify secret rotation.
One such tool is Mozilla’s SOPS tool.
What is SOPS?
Mozilla SOPS, or Secrets OPerationS, stands as an open-source tool meticulously crafted by Mozilla. It serves a singular purpose: to streamline the intricacies of handling encrypted files that house confidential data and configuration specifics. Its primary application lies in safeguarding sensitive content within configuration files, particularly within environments involving version-controlled repositories and configuration management systems.
The core strength of SOPS lies in its adaptability to a diverse range of encryption techniques and key management frameworks. This versatility is further enhanced by its integration capabilities with renowned key management platforms, including AWS Key Management Service (KMS), Google Cloud KMS, HashiCorp Vault, among others. By utilizing SOPS, you gain the ability to encode and decode sensitive information embedded within files, all managed by external key management systems.
In essence, Mozilla SOPS offers a powerful solution for navigating the complexities of encrypted secrets and configuration data. It excels in preserving the security of vital information, all while seamlessly aligning with modern development practices and deployment methodologies.
Let’s jump straight to action !
Installation of SOPS
wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops_3.7.1_amd64.deb
sudo dpkg -i sops_3.7.1_amd64.deb
sudo apt install -f
sops --version
sops --help
Install Age
Age is a simple, modern and secure file encryption tool, format, and Go library. We shall generate agekey and use it for encryption and decryption of secrets yaml file.
This is available in github project https://github.com/FiloSottile/age
AGE_VERSION=$(curl -s "https://api.github.com/repos/FiloSottile/age/releases/latest" | grep -Po '"tag_name": "(v.*)"' |grep -Po '[0-9].*[0-9]')
curl -Lo age.tar.gz "https://github.com/FiloSottile/age/releases/latest/download/age-v${AGE_VERSION}-linux-amd64.tar.gz"
tar xf age.tar.gz
mv age/age /usr/local/bin
mv age/age-keygen /usr/local/bin
Generate a newkey using Age
age-keygen -o agekey
export SOPS_AGE_KEY_FILE=$HOME/.sops/agekey
mkdir ~/.sops
cp ./agekey ~/.sops/
Encrypt secrets yaml files
sops --encrypt --encrypted-regex '^(data|stringData)$' --age $(cat ~/.sops/agekey |grep -oP "public key: \K(.*)") login-api.yaml > login-api-enc.yaml
After this a login-api-enc.yaml file will be created. If you open and see the file, the content will be encrypted.
To edit the encrypted file you have to use sops
sops login-api-enc.yaml
To decrypt and apply to kubernetes cluster
sops -d login-api-enc.yaml | kubectl apply -f -
To see the values in the secrets
k get secrets -n phoenix-uat
kubectl get secrets login-api-secrets -n phoenix-uat -o json | jq '.data | map_values(@base64d)'
Now you can push the encrypted secrets yaml files to the github repo and maintain it without worries.
If the file gets compromised then without the agekey it can’t be decrypted.
Note: Make sure you keep the agekey secure by keeing it in AWS KMS and using it from there.