Any way to use Komodo with encrypted .env via SOPS?

[nahnotnathan]

Currently running one large docker compose file for all my containers that stores sensitive data (database passwords, bypass keys, etc) in an encrypted .env file using SOPS.

When I run my compose file, i use the following command:
sops exec-file --no-fifo .env "docker compose --env-file {} up -d"

Overall this works great for me, but I'm interested in Komodo and I'd like to be able to maintain keeping my secrets encrypted via SOPS. I don't want to deploy a Hashicorp / OpenBao vault as it is extremely overkill for this purpose.

Is there a way for me to use SOPS and Komodo together? Does anyone have a similar setup?

[OKok-3]

I was just going to propose this idea as well. My solution right now is to simply extend the Komodo image and install SOPS and age, and attach the age key to the Komodo container in read only mode. Then for each compose stack I add a pre-deploy command to:

1. touch a .env if it doesn't exist (Komodo doesn't like no env file when you've specified one)
2. copy over the sops.yaml file to the current directory and decrypt it

and deploy the stack in Komodo as usual.

This is the Dockerbuild file I'm using:

FROM ghcr.io/moghtech/komodo-periphery:latest

# Install age
RUN apt-get update \ 
  && apt-get install -y --no-install-recommends age

# Clean up
RUN apt-get clean \
  && rm -rf /var/lib/apt/lists/*

# Install sops
RUN curl -LO https://github.com/getsops/sops/releases/download/v3.11.0/sops-v3.11.0.linux.amd64 \
  && chmod +x sops-v3.11.0.linux.amd64 \
  && mv sops-v3.11.0.linux.amd64 /usr/local/bin/sops

# Create the sops directory
RUN mkdir -p $HOME/.config/sops/age

The only tedious part is keeping up with both Komodo and SOPS development to make sure everything is up to date.

[Blacks-Army]

I just looked it up a few days ago if anyone proposed something like that lol

I also would love to see this implemented!

[cavazos-apps]

Would love to see this as well, trying to set up something similar and for a project so integration into GitOps, this seems like a no brainer.