kustomize-controller
kustomize-controller copied to clipboard
Issues integrating SOPS with Kustomize Controller
Hi!
Kustomize Controller version: v1.2.2
I've been trying to integrate SOPS to Kustomize Controller. The secret provider of our choice is Hashicorp Vault. I have been following the documentation specified here: https://fluxcd.io/flux/guides/mozilla-sops/
Kustomization is already created, I've specified decryption provider as sops and referenced a secret for credentials. Following documentation, the secret is specified in the following format:
apiVersion: v1
kind: Secret
metadata:
name: <name>
namespace: <namespace>
data:
sops.vault-token: <BASE-64>
I've also tried creating a secret using this code snippet (also from the docs)
echo $VAULT_TOKEN |
kubectl create secret generic sops-hcvault \
--namespace=flux-system \
--from-file=sops.vault-token=/dev/stdin
However, it seems that the kustomize controller does not accept the token, and I see the following error output:
Secret/sops-secrets-test/test-sops dry-run failed: failed to convert new object (sops-secrets-test/test-sops; /v1, Kind=Secret) to proper version: unable to convert unstructured object to /v1, Kind=Secret: error decoding from json: illegal base64 data at input byte 4
It seems that the issue might be that the controller accepts only alphanumeric characters. Our Vault token though has a format of hvs.<TOKEN>.
I've tried using stringData with unencoded token, but I have the same issue. If I use stringData with base64 encrypted token however, the kustomize controller does not have problems with it, however, the token does not work (as it accepts token as a plain string and does not decode it afterwards).
Just wanted to confirm, is this behavior expected? And do you have any suggestions on how I can work around this issue?
Thanks in advance!