Issues integrating SOPS with Kustomize Controller

[seidigapbar]

Hi!

Kustomize Controller version: v1.2.2

I've been trying to integrate SOPS to Kustomize Controller. The secret provider of our choice is Hashicorp Vault. I have been following the documentation specified here: https://fluxcd.io/flux/guides/mozilla-sops/

Kustomization is already created, I've specified decryption provider as sops and referenced a secret for credentials. Following documentation, the secret is specified in the following format:

apiVersion: v1
kind: Secret
metadata:
  name: <name>
  namespace: <namespace>
data:
  sops.vault-token: <BASE-64>

I've also tried creating a secret using this code snippet (also from the docs)

echo $VAULT_TOKEN |
kubectl create secret generic sops-hcvault \
--namespace=flux-system \
--from-file=sops.vault-token=/dev/stdin

However, it seems that the kustomize controller does not accept the token, and I see the following error output:

Secret/sops-secrets-test/test-sops dry-run failed: failed to convert new object (sops-secrets-test/test-sops; /v1, Kind=Secret) to proper version: unable to convert unstructured object to /v1, Kind=Secret: error decoding from json: illegal base64 data at input byte 4

It seems that the issue might be that the controller accepts only alphanumeric characters. Our Vault token though has a format of hvs.<TOKEN>.

I've tried using stringData with unencoded token, but I have the same issue. If I use stringData with base64 encrypted token however, the kustomize controller does not have problems with it, however, the token does not work (as it accepts token as a plain string and does not decode it afterwards).

Just wanted to confirm, is this behavior expected? And do you have any suggestions on how I can work around this issue?

Thanks in advance!