.
├── 0-terraform-modules # Terraform Modules
│
├── dev.local-k8s-1 # k8s cluster context name
│ ├── app # k8s namespaces
│ │ ├── .secrets # secrets
│ │ │ └── app1.json # encrypt secret json using SOPS
│ │ │ └── app2.json # encrypt secret json using SOPS
│ │ └── app1.tf # vault secret setting
│ │ └── app2.tf # vault secret setting
│ │
│ └── logging # k8s namespaces
│
├── dev.local-k8s-2 # k8s cluster context name
├── stage.gke-stage-cluster # k8s cluster context name
├── .... other context
└── prod.gke-prod-cluster # k8s cluster context name
$ gpg --import ./my-gpg-key.asc$ cd dev.local-k8s-1
$ terraform init
$ terraform applyyou can use exists GPG Key or create one for yourself:
$ gpg --batch --full-generate-key <<EOF
%no-protection
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Expire-Date: 0
Name-Comment: sops secrets
Name-Real: my-sops-key
EOF$ SECRET_ENV=dev
$ SECRET_CONTEXT=local-k8s-2
$ DIRECTORY_NAME="${ENV}.${SECRET_CONTEXT}"
$ mkdir $DIRECTORY_NAME$ cd $DIRECTORY_NAME
$ SECRET_NAMESPACE=payment
$ mkdir ${SECRET_NAMESPACE}/.secrets
To create a secret within a .secrets directory that contains secret information. could be follows:
echo '{"DB_PASSWORD": "database password here","AWS_ACCESS_KEY_ID": "aws access key id here","AWS_SECRET_ACCESS_KEY": "aws secret access key here"}' > ${SECRET_NAMESPACE}/.secrets/service-sample.json
Next, encrypt the file using the SOPS with the my-gpg-key.asc GPG key.
sops -e --in-place ${SECRET_NAMESPACE}/.secrets/service-sample.json
Now, you can confidently add the JSON secret file to version control.
NOTE my-gpg-key.asc is PGP private key for presentation, And does not commit it to version control in production.