Skip to content

feat(sops): add SOPS plugin for age key provisioning #574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
solcik wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(sops): add SOPS plugin for age key provisioning #574

solcik wants to merge 1 commit into from

Conversation

@solcik
Copy link

@solcik solcik commented Feb 3, 2026

Summary

Add shell plugin for SOPS (Secrets OPerationS) that provisions SOPS_AGE_KEY environment variable from 1Password vault items.

Supported CLIs

  • sops - SOPS CLI for encrypt/decrypt operations
  • helm - With secrets subcommand (helm-secrets plugin)

Credential Type

  • secret_key - Age secret key (AGE-SECRET-KEY-...)

Provisioning

Sets SOPS_AGE_KEY environment variable with the age secret key.

NeedsAuth Rules

  • sops: Authenticates for all commands except --help and --version
  • helm: Only authenticates when secrets subcommand is used

Test Commands

# SOPS CLI
sops -d secrets.yaml
sops -e secrets.yaml

# Helm with SOPS secrets plugin
helm secrets decrypt secrets.yaml
helm secrets edit secrets.yaml

Use Case

SOPS with age encryption is commonly used for:

  • Encrypting Kubernetes secrets (helm-secrets)
  • Encrypting configuration files
  • GitOps workflows where secrets are stored encrypted in git

The plugin allows developers to store their age secret key in 1Password and have it automatically provisioned when running SOPS or helm-secrets commands.

@solcik
feat(sops): add SOPS plugin for age key provisioning
3361434 
Add shell plugin for SOPS (Secrets OPerationS) that provisions
SOPS_AGE_KEY environment variable from 1Password vault items.

Supports:
- sops CLI for encrypt/decrypt operations
- helm CLI with 'secrets' subcommand (helm-secrets plugin)

Credential type:
- secret_key: Age secret key (AGE-SECRET-KEY-...)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@solcik