Render and encrypt Kubernetes Secrets per cluster and namespace — in one command.
You define your secrets once in a .sopsify.yaml. Sopsify replaces placeholders
in your templates with the right values, encrypts them with SOPS,
and writes everything to the correct folder.
sopsify -t secrets/
Note
Requires SOPS in your PATH.
sudo npm link1. You write a Secret template with ${...} placeholders:
# secrets/app-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: app
data:
token: ${api-token}2. You define values per cluster and namespace in .sopsify.yaml:
sopsify:
- production:
- template: "app-secret.yaml"
values:
- key: api-token
value: cHJvZF90b2tlbg==
namespaces: [frontend, backend]
- staging:
- template: "app-secret.yaml"
values:
- key: api-token
value: c3RhZ2luZ190b2tlbg==
namespaces: [frontend]3. Sopsify generates encrypted files in your cluster folder structure:
clusters/
├── production/secrets/
│ ├── frontend/app-secret.enc.yaml
│ └── backend/app-secret.enc.yaml
└── staging/secrets/
└── frontend/app-secret.enc.yaml
Each file has the placeholders replaced, metadata.namespace set, and is encrypted with SOPS.
Same value for multiple namespaces — list them together:
- key: token
value: abc
namespaces: [frontend, backend]Different values per namespace — repeat the key:
- key: token
value: abc
namespaces: [frontend]
- key: token
value: xyz
namespaces: [backend]A key cannot appear twice for the same namespace.
MIT