I'm trying to use fluxcd on my kubernetes cluster, which is working perfectly fine.
Now I wanted to add prometheus/grafana stack and use sops to decrypt the basic_auth part in the scrapingConfig from prometheus.
The issue is, I encrypted the secret and added the private pgp key as sops-gpg to the cluster. The secret is used but the content remains encrypted (starting with ENC[...).
What am I missing?
gotk-sync.yaml:
# This manifest was generated by flux. DO NOT EDIT.
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: iac
namespace: flux-system
spec:
interval: 1m0s
ref:
branch: k8s
secretRef:
name: iac
url: ssh://git@git.example.com/infrastruktur/iac
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: iac
namespace: flux-system
spec:
interval: 10m0s
path: ./
prune: true
sourceRef:
kind: GitRepository
name: iac
validation: client
decryption:
provider: sops
secretRef:
name: sops-gpg
The prometheus/additional-scrape-configs.sops.yaml:
apiVersion: v1
kind: Secret
metadata:
name: additional-scrape-configs
namespace: prometheus
type: Opaque
stringData:
additional-scrape-configs.yaml: ENC[...]
sops:
lastmodified: "2025-09-24T12:13:55Z"
mac: ENC[...]
pgp:
- created_at: "2025-09-24T12:13:55Z"
enc: |-
-----BEGIN PGP MESSAGE-----
...
-----END PGP MESSAGE-----
fp: ...
encrypted_regex: ^(data|stringData)$
version: 3.10.2
The prometheus/release.yaml:
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: prometheus-stack
namespace: prometheus
spec:
interval: 5m
chart:
spec:
chart: kube-prometheus-stack
version: "56.5.0"
sourceRef:
kind: HelmRepository
name: prometheus-community
namespace: prometheus
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
grafana:
ingress:
enabled: true
ingressClassName: "traefik"
hosts:
- grafana.example.com
prometheus:
prometheusSpec:
additionalScrapeConfigSecret:
name: additional-scrape-configs
key: additional-scrape-configs.yaml
The .sops.yaml
creation_rules:
- path_regex: *.sops.yaml
encrypted_regex: '^(data|stringData)$'
pgp: >-
...
kustomization.yaml:
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- prometheus
- traefik
prometheus/kustomization.yaml:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- release.yaml
- repository.yaml
- additional-scrape-configs.sops.yaml
I already fixed my repo names like stated in Flux not decrypting using SOPS
Edit:
I fixed the .sops.yaml and changed path_regex to .sops.yaml
I also tried sops -d prometheus/additional-scrape-configs.sops.yaml, which works fine.
Removed validation: client and secretsRef: iac from gotk-sync.yaml
I fixed it by changing stringData to data and provide the content as base64 string.
Also had to rename the Repo name back to flux-system.
And had to add the decryption section with the flux command:
flux create kustomization flux-system \
--source=flux-system \
--path=./ \
--prune=true \
--interval=10m \
--decryption-provider=sops \
--decryption-secret=sops-gpg