kustomize-gopass is an exec-based KRM function Kustomize plugin that injects secrets from gopass into Kubernetes Secret resources. This allows you to work with Kubernetes Secret resources in your Kustomize base without directly including the sensitive secret values in your manifests.
Here's how it works:
In your Kustomize base, you can include your Secret resources, but instead of embedding the actual secret values, you set the secret keys to point to the paths of the secrets stored in your pre-configured gopass password manager. When you run kustomize build, the kustomize-gopass plugin executes. It reads any gopass paths specified in the secret keys and retrieves the corresponding secret values from your gopass repository. The plugin then injects the retrieved secret values into the Secret resource(s) rendered by Kustomize.
This approach allows you to manage your sensitive data in gopass, while still maintaining the convenience of defining your Kubernetes resources in Kustomize.
kustomize-gopass is available on Linux, Mac, and Windows 1.
- Visit the releases page of this repository.
- Download the appropriate archive for your operating system and architecture.
- Extract the archive
- Move the binary to a location in your PATH
go install github.com/jossware/kustomize-gopass@latestIf you want to include a Secret in a Kustomize base that retrieves values from gopass, you need to:
-
Annotate it with the
config.kubernetes.io/functionto tell Kustomize what function to run.metadata: annotations: config.kubernetes.io/function: | exec: path: kustomize-gopass
The above assumes that the kustomize-gopass binary is in your PATH. If not, you can modify the above to the absolute path to the kustomize-gopass binary on your system.
-
Configure any
dataorstringDatafields to use values stored in gopass. You do this by setting the field to a value likegopass:<path/to/secret/in/gopass>. For example:data: password: gopass:dev/db/password
Next, you need to configure Kustomize to treat the manifest for the Secret above as a generator.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- my-secrets.yaml
# ...- Build
In order to run Kustomize with function support, you need to use the --enable-alpha-plugins and --enable-exec flags.
kustomize build --enable-exec --enable-alpha-plugins my-basemy-secret.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-secrets
annotations:
config.kubernetes.io/function: |
exec:
path: kustomize-gopass
data:
dbpw: gopass:dev/db/password
apikey: gopass:dev/thirdparty/app/apikeykustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- my-secrets.yaml
# ...$ kustomize build --enable-exec --enable-alpha-plugins .
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-secrets
data:
dbpw: <actual base64-encoded secret value>
apikey: <actual base64-encoded secret value>
...We built kustomize-gopass for existing gopass users who want to more easily manage Kubernetes secrets for local development, side projects, or in homelab scenarios. Keep in mind that generating Kubernetes secrets client-side does make it rather easy for plain text secrets to leak into your terminal output, CI/CD logs, or elsewhere. For production, business-critical systems, we would lean towards something like the Secrets Store CSI Driver or External Secrets Operator or any of the varied secrets-management solutions available in the Kubernetes ecosystem.
To build and run the project locally, clone the repository and run:
git clone https://github.com/yourusername/kustomize-gopass.git
cd kustomize-gopass
go build
./kustomize-gopassTo run tests, use the following command:
go test ./...Contributions are welcome! Please open an issue or submit a pull request.
This project is licensed under the MIT License. See the LICENSE file for details.
1 note: kustomize-gopass has not been tested extensively on Windows. Please file an issue if you run into any problems.