Skip to content

SOPS Operator

A Kubernetes operator that decrypts SOPS-encrypted secrets and creates native Kubernetes Secrets.

  • Secure by Design

    Full SOPS YAML stored in CRD including MAC for integrity verification

  • AGE Encryption

    Simple, secure encryption with no cloud dependencies

  • GitOps Ready

    Store encrypted secrets in Git, operator handles decryption

  • Cloud Native

    Built with controller-runtime, follows Kubernetes patterns

Quick Start

# Install the operator
kubectl apply -f https://github.com/scalaric/sops-operator/releases/latest/download/install.yaml

Get Started View on GitHub

Why SOPS Operator?

Managing secrets in Kubernetes with GitOps is challenging. You want to store everything in Git, but secrets need to stay secret. SOPS Operator solves this by:

  1. Encrypting secrets with SOPS - Store encrypted YAML in Git
  2. Storing encrypted data in CRDs - Apply encrypted secrets to Kubernetes
  3. Automatic decryption - Operator decrypts and creates native Secrets
apiVersion: secrets.scalaric.io/v1alpha1
kind: SopsSecret
metadata:
  name: my-secret
spec:
  sopsSecret: |
    apiVersion: v1
    kind: Secret
    data:
      password: ENC[AES256_GCM,data:...,type:str]
    sops:
      age:
        - recipient: age1...
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            ...

Features

  • ✅ Decrypts SOPS-encrypted YAML and creates Kubernetes Secrets
  • ✅ Supports AGE encryption
  • ✅ Full SOPS YAML stored in CRD (including MAC)
  • ✅ Automatic Secret recreation if deleted
  • ✅ Owner references for automatic cleanup
  • ✅ Status conditions for observability
  • ✅ Suspend functionality for maintenance