A SOPS companion CLI for editing, validating, and rekeying Kubernetes secrets
Project description
ksops
A SOPS companion CLI for editing, validating, and rekeying Kubernetes secrets.
ksops does not replace SOPS. It uses the sops binary for encryption, decryption,
editing, and key updates, while adding small GitOps-oriented workflows around it.
Why ksops?
sops is excellent at encrypting files with age, GPG, KMS, and cloud key services.
But Kubernetes secret repos often need repeatable project workflows around that core.
ksops is a DX layer on top of sops for Kubernetes/GitOps repositories:
| sops | ksops | |
|---|---|---|
| Encrypt files for GitOps | ✅ | ✅ (via sops) |
| Edit encrypted files | ✅ | ✅ ksops edit |
| Decrypt to stdout | ✅ | ✅ ksops cat |
| Initialize Kubernetes Secret defaults | ❌ | ✅ ksops init |
| Encrypt all plaintext Secret manifests | ❌ | ✅ ksops encrypt-all |
Rekey one file from .sops.yaml |
✅ sops updatekeys |
✅ ksops rekey |
| Rekey all encrypted manifests | ❌ | ✅ ksops rekey-all |
| Check plaintext Kubernetes Secret leaks | ❌ | ✅ ksops validate-all |
Commands
ksops init --age age1...
ksops edit secret.yaml
ksops cat secret.yaml
ksops encrypt secret.yaml --in-place
ksops encrypt-all ./manifests
ksops decrypt secret.yaml
ksops rekey secret.yaml
ksops rekey-all ./manifests
ksops validate-all ./manifests
ksops completion zsh
Configuration
Encryption policy stays in native .sops.yaml.
creation_rules:
- path_regex: .*secret.*\.ya?ml$
encrypted_regex: ^(data|stringData)$
age: age1...
ksops init --age age1... creates a starter .sops.yaml, but all encryption
behavior is still handled by SOPS itself.
Shell Completion
source <(ksops completion bash)
source <(ksops completion zsh)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ksops-0.2.1.tar.gz.
File metadata
- Download URL: ksops-0.2.1.tar.gz
- Upload date:
- Size: 25.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.13 {"installer":{"name":"uv","version":"0.11.13","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a4f1e18f8731b10a4d8d98e20184856f0c48bf02aeee08672d77912c8e1208a3
|
|
| MD5 |
81c240177997954ed1c676b10de2a56e
|
|
| BLAKE2b-256 |
5c0574462ffeec368c3fa00e334f58636345e57f9acdfd909efdd37c0adcfbd6
|
File details
Details for the file ksops-0.2.1-py3-none-any.whl.
File metadata
- Download URL: ksops-0.2.1-py3-none-any.whl
- Upload date:
- Size: 6.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.13 {"installer":{"name":"uv","version":"0.11.13","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cdcd88a3b9e3454e075e25518f1e184aba436232aada7d631b252d9037a06b9c
|
|
| MD5 |
43435f6e64165a79963a182b18afb8ff
|
|
| BLAKE2b-256 |
18b8a045b2968ba097c079bc9af58dafaf1293e7c70c09d86a1ae2436bc3cb38
|
