Simplifying Kubernetes Secrets Management with SOPS: My Technical Journey to an AI-Powered Solution

Martin Koníček
3 min readMay 5, 2024

Embarking on a journey to streamline the management of Kubernetes secrets was no small feat. My exploration led me to Mozilla’s SOPS (Secrets OperationS), a powerful tool designed for precision encryption tasks, perfect for Kubernetes YAML files targeting sensitive password and environment variables. However, integrating SOPS in a way that fit my workflow requirements presented several challenges. Below, I dive into the technical hurdles and the solutions I crafted, including my reliance on AI to generate initial code snippets and the subsequent refinements I made.

Example of encrypted config with SOPS

The Challenge with SOPS and AGE

At the core of SOPS is its ability to work with age, a modern encryption tool that uses public and private keys. Initially, the concept of managing these keys securely was daunting. Here's a simplified approach to storing the AGE key securely:

Creating AGE keys

However, understanding SOPS and integrating it into my workflow only addressed part of the problem. SOPS encrypts files differently with each operation, leading to unnecessary changes in my Git repository even when the actual contents hadn’t been altered.

Crafting a Hash-Based Solution

To circumvent the issue of redundant commits, I introduced a mechanism using hashes to detect actual changes in sensitive content before deciding on an encryption operation. This was the pseudocode logic I conceptualized:

  1. Compute the hash of sensitive data before any potential change.
  2. Make necessary modifications to the Kubernetes YAML files.
  3. Compute the hash of sensitive data after changes.
  4. Apply SOPS encryption only if the hashes differ, indicating a true change in sensitive content.

Implementing this in bash script as part of a Git pre-commit hook looked something like this:

Calculating Hash

Leaning on AI with ChatGPT

When I first leaned on AI, specifically ChatGPT, to generate the initial version of the scripts, the results were promising but imperfect. For example, the AI helped formulate the base concept of using hashes to detect changes, yet translating this into a robust, error-free script required a deeper dive.

After refining the script, accounting for edge cases, and ensuring the encryption process was seamless, I managed to create a solution that fitted beautifully into my workflows.

Furthermore, AI played a crucial role in generating the documentation for this project, marking an evolution in how we approach problem-solving in DevOps:

AI generated readme file

Real-World Application and Refinements

Testing and refining this solution in real-world scenarios have been incredibly rewarding. What began as a search for an automated encryption tool ended up as a comprehensive solution that elegantly manages Kubernetes secrets and avoids cluttering repository history with unnecessary changes.

This journey highlighted the importance of thinking outside the conventional toolkit and leveraging advancements in AI to propel project development forward. Sharing this solution and the process behind its creation, I hope to inspire others facing similar challenges, providing them a foundation to build upon and customize for their unique Kubernetes workflows.

The essence of this project is captured not just in its code but in the journey from concept to implementation, underscored by an innovative use of AI and a community-driven approach to problem-solving. For those intrigued by this journey and eager to explore this solution, I invite you to visit the project on GitHub and join in refining this approach to secrets management in Kubernetes.