kustomize-controller icon indicating copy to clipboard operation
kustomize-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

kustomize-controller does not work with sops encrypted_comment_regex

Open fredgate opened this issue 7 months ago • 2 comments

Sops allow to encrypt only lines annotated with a comment matching a regex. This is very useful as manifests stored in the git repository are more readable : only sensible data are encrypted and others are clearly readable.

The .sops.yaml file can be configured like this :

creation_rules:
- path_regex: \.yaml$
  encrypted_comment_regex: "^ sops-encrypt"
  pgp: E38ACXXXXXXXXXXXXXXXXXXXXXXXXXX

So an HelmRelease can be stored like this :

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
    name: myapplication
    namespace: default
spec:
    chart:
        spec:
            chart: myapplication
            version: 1.x.x
            sourceRef:
                kind: HelmRepository
                name: helm
                namespace: flux-system
            interval: 2m
    interval: 3m
    values:
        image:
            repository: registry.contoso.com/contoso/myapplication
        rootUser: admin
        # sops-encrypt
        rootPassword: ENC[AES256_GCM,data:WTZcAXgmxZU3m6HtFukJvqGu,iv:k4WG13EBxvt+mkeimz9tpC/B/UyGSeJ9ygEyWtYcdBU=,tag:e9kam+6mR5WLb2UDVIjVPA==,type:str]
        foo: bar
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2025-03-31T08:29:21Z"
    mac: ENC[AES256_GCM,data:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,type:str]
    pgp:
        - created_at: "2025-03-31T08:29:21Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            -----END PGP MESSAGE-----
          fp: E38ACXXXXXXXXXXXXXXXXXXXXXXXXXX
    encrypted_comment_regex: ^ sops-encrypt
    version: 3.9.0

The problem is that the kustomize-controller marshall the ressource to JSON before to decrypt it, so it losts the comments and then it desops nothing : https://github.com/fluxcd/kustomize-controller/blob/main/internal/decryptor/decryptor.go#L346-L350.
The resource deployed in the cluster contains the encrypted string instead of the sensitive data :

kubectl get hr myapplication -o yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
    name: myapplication
    namespace: default
spec:
    chart:
        spec:
            chart: myapplication
            version: 1.x.x
            sourceRef:
                kind: HelmRepository
                name: helm
                namespace: flux-system
            interval: 2m
    interval: 3m
    values:
        image:
            repository: registry.contoso.com/contoso/myapplication
        rootUser: admin
        rootPassword: ENC[AES256_GCM,data:WTZcAXgmxZU3m6HtFukJvqGu,iv:k4WG13EBxvt+mkeimz9tpC/B/UyGSeJ9ygEyWtYcdBU=,tag:e9kam+6mR5WLb2UDVIjVPA==,type:str]
        foo: bar

fredgate avatar Mar 31 '25 09:03 fredgate