"SOPS Secrets: Git-Friendly Encryption for Kubernetes and IaC"
Shipping software with modern Git workflows often means secrets become everyone's problem: reviewed in pull requests, promoted across environments, and consumed by automation that must be both reliable and auditable. This book targets experienced engineers—platform teams, SREs, security-minded developers, and DevOps leaders—who need a Git-native way to manage sensitive configuration without inventing fragile side channels or accepting "trust me" deployment pipelines.
You'll build a precise mental model of how SOPS works: envelope encryption, data keys and recipients, integrity/MAC semantics, and the practical implications of partial encryption for diffs and merges. From there, the book goes deep on choosing and operating key backends (age, PGP/GnuPG, and cloud KMS), encoding repo policy with `.sops.yaml`, and troubleshooting operator-grade failure modes. You'll also learn lifecycle engineering—recipient changes, rekeying strategies, and audit evidence—plus automation boundaries for CI and IaC, including Terraform plan/state-adjacent hazards.
Coverage culminates in Kubernetes + GitOps: designing decryption boundaries, least-privilege in-cluster reconciliation, and incident-ready recovery playbooks. Examples and guidance are geared toward real toolchains and production constraints; readers should already be fluent in Git, CI/CD, and Kubernetes fundamentals.
