Secret Management
Encrypt and decrypt secrets using SOPS with support for age, PGP, and cloud KMS providers.
ksail cipher encrypt secret.yamlksail cipher decrypt secret.enc.yamlksail cipher edit secret.enc.yamlksail cipher rotate secret.enc.yamlksail cipher import AGE-SECRET-KEY-1...Supported KMS: See Key Management Systems for supported providers and documentation links.
GitOps Integration
Section titled “GitOps Integration”When a GitOps engine is active and SOPS is enabled, KSail automatically creates a sops-age Secret containing your Age private key and wires it into the GitOps engine.
Key Resolution
Section titled “Key Resolution”KSail resolves the Age private key using this priority order:
sops.env.var— explicit environment variable namesops.ageKeyEnvVar— deprecated fallback (default:SOPS_AGE_KEY)sops.extract.file— custom key file path (defaults to OS-specific SOPS path)
Use sops.extract.publicKeys to filter which keys from a key file are included in the Secret. If no key can be resolved, the sops-age Secret is not created and SOPS integration is skipped.
Configure all options via spec.cluster.sops in ksail.yaml — see Declarative Configuration.
KSail creates or updates the sops-age Secret in the flux-system namespace. Flux Kustomization CRDs reference it via spec.decryption.secretRef.
ArgoCD
Section titled “ArgoCD”KSail creates or updates the sops-age Secret in the argocd namespace and installs a Config Management Plugin (CMP) sidecar on the repo-server. The CMP decrypts SOPS-encrypted manifests before ArgoCD renders them — no manual plugin configuration required. See ArgoCD ApplicationSet — SOPS Age Integration for usage examples.