Work with Secrets using SOPS
Install the sops tool locally (version
3.7.1 is used
in the automated pipeline).
Decrypt the file
Take the values of AGE secret (from
secrets.md) and put it in a file, e.g.
sops -d kubermatic/kubermatic-configuration.yaml
sops -d kubermatic/values.yaml
With above commands, you will get on standard output the decrypted content of the files.
You can also use
-i option to use the in-place update of the file.
Make sure that you never commit the files with decrypted values inside your repository!
Encrypt the values
If you want to update some values or encrypt a new ones, you will need the AGE public key (set in
which is passed to the
sops -e --encrypted-regex 'secret|Secret|key|Key|password|hash' --age $AGE_PUBLIC_KEY kubermatic/values.yaml
You should decrypt the whole file if you are willing to update some parts, otherwise
sops will complain
that there the file has already some encrypted values.
Be aware that even if you are updating some non-sensitive value in the file which includes some encrypted values, it is still necessary
to first decrypt the file, update the values and encrypt again. This is needed to avoid an errors with “MAC mismatch” (message authentication code).