Kluctl integrates natively with SOPS. Kluctl is able to decrypt all resources referenced by Kustomize deployment items (including simple deployments). In addition, Kluctl will also decrypt all variable sources of the types file and git.

Kluctl assumes that you have setup sops as usual so that it knows how to decrypt these files.

Only encrypting Secrets’s data

To only encrypt the data and stringData fields of Kubernetes secrets, use a .sops.yaml configuration file that encrypted_regex to filter encrypted fields:

  - path_regex: .*.yaml
    encrypted_regex: ^(data|stringData)$

Combining templating and SOPS

As an alternative, you can split secret values and the resulting Kubernetes resources into two different places and then use templating to use the secret values wherever needed. Example:

Write the following content into secrets/my-secrets.yaml:

  mySecret: secret-value

And encrypt it with SOPS:

  $ sops -e -i secrets/my-secrets.yaml

Add this variables source to one of your deployments:

  - file: secrets/my-secrets.yaml

- ...

Then, in one of your deployment items define the following Secret:

  apiVersion: v1
kind: Secret
  name: my-secret
  namespace: default
  secret: "{{ secrets.mySecret }}"