secrets
Installation
Entrypoint
Types
Secrets

secrets

AGE key validation, SOPS-driven template rendering, and Kubernetes
Secret manifest generation. Other blueprints modules depend on this one
rather than implementing SOPS workflows directly. Created in #143 to
consolidate three previous implementations across configuration, vm,
and kubernetes-deployment.

Installation

dagger install github.com/stuttgart-things/blueprints/secrets@v2.0.0

Entrypoint

Return Type

Secrets

Example

dagger -m github.com/stuttgart-things/blueprints/secrets@4df4b40c0e2b37efe3a2b728cee543226f459da5 call \

func (m *MyModule) Example() *dagger.Secrets  {
	return dag.
			Secrets()
}

@function
def example() -> dagger.Secrets:
	return (
		dag.secrets()
	)

@func()
example(): Secrets {
	return dag
		.secrets()
}

Types

Secrets 🔗

createKubernetesSecret() 🔗

CreateKubernetesSecret builds a Kubernetes Secret manifest from name, namespace, and comma-separated key=value pairs, then encrypts it with SOPS using the given AGE public key. Returns the encrypted manifest as a *dagger.File.

Values are base64-encoded and placed under data: to match the standard Kubernetes Secret layout.

Usage:

dagger call -m secrets create-kubernetes-secret \
  --name my-secret --namespace default \
  --key-values "user=admin,password=s3cret" \ # pragma: allowlist secret
  --age-public-key env:AGE_PUB \
  export --path ./secret.enc.yaml

Return Type

File !

Arguments

Name	Type	Default Value	Description
name	String !	-	No description provided
namespace	String !	-	No description provided
keyValues	String !	-	Comma-separated key=value pairs (e.g. "user=admin,password=s3cret") # pragma: allowlist secret
agePublicKey	Secret !	-	AGE public key for SOPS encryption
sopsConfig	File	-	SOPS config file (.sops.yaml)

Example

dagger -m github.com/stuttgart-things/blueprints/secrets@4df4b40c0e2b37efe3a2b728cee543226f459da5 call \
 create-kubernetes-secret --name string --namespace string --key-values string --age-public-key env:MYSECRET

func (m *MyModule) Example(name string, namespace string, keyValues string, agePublicKey *dagger.Secret) *dagger.File  {
	return dag.
			Secrets().
			CreateKubernetesSecret(name, namespace, keyValues, agePublicKey)
}

@function
def example(name: str, namespace: str, key_values: str, age_public_key: dagger.Secret) -> dagger.File:
	return (
		dag.secrets()
		.create_kubernetes_secret(name, namespace, key_values, age_public_key)
	)

@func()
example(name: string, namespace: string, keyValues: string, agePublicKey: Secret): File {
	return dag
		.secrets()
		.createKubernetesSecret(name, namespace, keyValues, agePublicKey)
}

createKubernetesSecretString() 🔗

CreateKubernetesSecretString is the string-returning variant of CreateKubernetesSecret.

Return Type

String !

Arguments

Name	Type	Default Value	Description
name	String !	-	No description provided
namespace	String !	-	No description provided
keyValues	String !	-	No description provided
agePublicKey	Secret !	-	No description provided
sopsConfig	File	-	No description provided

Example

dagger -m github.com/stuttgart-things/blueprints/secrets@4df4b40c0e2b37efe3a2b728cee543226f459da5 call \
 create-kubernetes-secret-string --name string --namespace string --key-values string --age-public-key env:MYSECRET

func (m *MyModule) Example(ctx context.Context, name string, namespace string, keyValues string, agePublicKey *dagger.Secret) string  {
	return dag.
			Secrets().
			CreateKubernetesSecretString(ctx, name, namespace, keyValues, agePublicKey)
}

@function
async def example(name: str, namespace: str, key_values: str, age_public_key: dagger.Secret) -> str:
	return await (
		dag.secrets()
		.create_kubernetes_secret_string(name, namespace, key_values, age_public_key)
	)

@func()
async example(name: string, namespace: string, keyValues: string, agePublicKey: Secret): Promise<string> {
	return dag
		.secrets()
		.createKubernetesSecretString(name, namespace, keyValues, agePublicKey)
}

decrypt() 🔗

Decrypt decrypts a SOPS-encrypted file with the given AGE private key and returns the plaintext contents.

Return Type

String !

Arguments

Name	Type	Default Value	Description
sopsKey	Secret !	-	AGE private key (AGE-SECRET-KEY-...)
encryptedFile	File !	-	SOPS-encrypted file (YAML/JSON)

Example

dagger -m github.com/stuttgart-things/blueprints/secrets@4df4b40c0e2b37efe3a2b728cee543226f459da5 call \
 decrypt --sops-key env:MYSECRET --encrypted-file file:path

func (m *MyModule) Example(ctx context.Context, sopsKey *dagger.Secret, encryptedFile *dagger.File) string  {
	return dag.
			Secrets().
			Decrypt(ctx, sopsKey, encryptedFile)
}

@function
async def example(sops_key: dagger.Secret, encrypted_file: dagger.File) -> str:
	return await (
		dag.secrets()
		.decrypt(sops_key, encrypted_file)
	)

@func()
async example(sopsKey: Secret, encryptedFile: File): Promise<string> {
	return dag
		.secrets()
		.decrypt(sopsKey, encryptedFile)
}

encryptFile() 🔗

EncryptFile encrypts a plaintext file with SOPS using an AGE public key and returns the encrypted contents.

Return Type

String !

Arguments

Name	Type	Default Value	Description
agePublicKey	Secret !	-	AGE public key for encryption (age1...)
plaintextFile	File !	-	Plaintext file to encrypt
fileExtension	String	"yaml"	File extension for SOPS encryption (e.g. "yaml", "json")
sopsConfig	File	-	SOPS config file (.sops.yaml)

Example

dagger -m github.com/stuttgart-things/blueprints/secrets@4df4b40c0e2b37efe3a2b728cee543226f459da5 call \
 encrypt-file --age-public-key env:MYSECRET --plaintext-file file:path

func (m *MyModule) Example(ctx context.Context, agePublicKey *dagger.Secret, plaintextFile *dagger.File) string  {
	return dag.
			Secrets().
			EncryptFile(ctx, agePublicKey, plaintextFile)
}

@function
async def example(age_public_key: dagger.Secret, plaintext_file: dagger.File) -> str:
	return await (
		dag.secrets()
		.encrypt_file(age_public_key, plaintext_file)
	)

@func()
async example(agePublicKey: Secret, plaintextFile: File): Promise<string> {
	return dag
		.secrets()
		.encryptFile(agePublicKey, plaintextFile)
}

encryptString() 🔗

EncryptString encrypts an in-memory string with SOPS using an AGE public key. Convenience wrapper around EncryptFile that materializes the input as a file first.

Return Type

String !

Arguments

Name	Type	Default Value	Description
agePublicKey	Secret !	-	AGE public key for encryption (age1...)
plaintext	String !	-	Plaintext content to encrypt
fileExtension	String	"yaml"	File extension for SOPS encryption (e.g. "yaml", "json")
sopsConfig	File	-	SOPS config file (.sops.yaml)

Example

dagger -m github.com/stuttgart-things/blueprints/secrets@4df4b40c0e2b37efe3a2b728cee543226f459da5 call \
 encrypt-string --age-public-key env:MYSECRET --plaintext string

func (m *MyModule) Example(ctx context.Context, agePublicKey *dagger.Secret, plaintext string) string  {
	return dag.
			Secrets().
			EncryptString(ctx, agePublicKey, plaintext)
}

@function
async def example(age_public_key: dagger.Secret, plaintext: str) -> str:
	return await (
		dag.secrets()
		.encrypt_string(age_public_key, plaintext)
	)

@func()
async example(agePublicKey: Secret, plaintext: string): Promise<string> {
	return dag
		.secrets()
		.encryptString(agePublicKey, plaintext)
}

renderTemplate() 🔗

RenderTemplate decrypts a SOPS-encrypted data file, renders a Go-template against the decrypted values, and (optionally) re-encrypts the result with a different AGE recipient. Returns the rendered file (encrypted by default).

Return Type

File !

Arguments

Name	Type	Default Value	Description
ageKey	Secret !	-	AGE private key for SOPS decrypt (AGE-SECRET-KEY-...)
encryptedDataFile	File !	-	SOPS-encrypted data file (YAML/JSON) whose values feed the template
templateFile	File !	-	Go template file (e.g. secret.json.tmpl) rendered against the decrypted data
ageRecipient	Secret	-	AGE public recipient for SOPS re-encrypt (age1...); required when encrypt=true
fileExtension	String	"json"	File extension for the SOPS-encrypted output
sopsConfig	File	-	Optional .sops.yaml used for both decrypt and encrypt
encrypt	Boolean	"true"	When true, SOPS-encrypt the rendered file; when false, return the plaintext render

Example

dagger -m github.com/stuttgart-things/blueprints/secrets@4df4b40c0e2b37efe3a2b728cee543226f459da5 call \
 render-template --age-key env:MYSECRET --encrypted-data-file file:path --template-file file:path

func (m *MyModule) Example(ageKey *dagger.Secret, encryptedDataFile *dagger.File, templateFile *dagger.File) *dagger.File  {
	return dag.
			Secrets().
			RenderTemplate(ageKey, encryptedDataFile, templateFile)
}

@function
def example(age_key: dagger.Secret, encrypted_data_file: dagger.File, template_file: dagger.File) -> dagger.File:
	return (
		dag.secrets()
		.render_template(age_key, encrypted_data_file, template_file)
	)

@func()
example(ageKey: Secret, encryptedDataFile: File, templateFile: File): File {
	return dag
		.secrets()
		.renderTemplate(ageKey, encryptedDataFile, templateFile)
}

validateAgeKeyPair() 🔗

ValidateAgeKeyPair derives the public key from the given AGE private key and verifies it matches the provided public key. Fails fast on mismatch.

Usage:

dagger call -m secrets validate-age-key-pair --sops-age-key env:SOPS_AGE_KEY --age-public-key env:AGE_PUB

Return Type

String !

Arguments

Name	Type	Default Value	Description
sopsAgeKey	Secret !	-	AGE private key
agePublicKey	Secret !	-	AGE public key to validate against

Example

dagger -m github.com/stuttgart-things/blueprints/secrets@4df4b40c0e2b37efe3a2b728cee543226f459da5 call \
 validate-age-key-pair --sops-age-key env:MYSECRET --age-public-key env:MYSECRET

func (m *MyModule) Example(ctx context.Context, sopsAgeKey *dagger.Secret, agePublicKey *dagger.Secret) string  {
	return dag.
			Secrets().
			ValidateAgeKeyPair(ctx, sopsAgeKey, agePublicKey)
}

@function
async def example(sops_age_key: dagger.Secret, age_public_key: dagger.Secret) -> str:
	return await (
		dag.secrets()
		.validate_age_key_pair(sops_age_key, age_public_key)
	)

@func()
async example(sopsAgeKey: Secret, agePublicKey: Secret): Promise<string> {
	return dag
		.secrets()
		.validateAgeKeyPair(sopsAgeKey, agePublicKey)
}